mirror of
https://github.com/github/codeql.git
synced 2025-12-16 16:53:25 +01:00
Merge remote-tracking branch 'upstream/main' into post-release-prep/codeql-cli-2.13.3
This commit is contained in:
Arthur Baars
3
.github/workflows/check-change-note.yml
vendored
3
.github/workflows/check-change-note.yml
vendored
@@ -11,7 +11,6 @@ on:
|
||||
- "*/ql/lib/**/*.yml"
|
||||
- "!**/experimental/**"
|
||||
- "!ql/**"
|
||||
- "!swift/**"
|
||||
- ".github/workflows/check-change-note.yml"
|
||||
|
||||
jobs:
|
||||
@@ -32,4 +31,4 @@ jobs:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
run: |
|
||||
gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate --jq '[.[].filename | select(test("/change-notes/.*[.]md$"))] | all(test("/change-notes/[0-9]{4}-[0-9]{2}-[0-9]{2}.*[.]md$") or test("/change-notes/released/[0-9]*[.][0-9]*[.][0-9]*[.]md$"))' |
|
||||
grep true -c
|
||||
grep true -c
|
||||
|
||||
2
.github/workflows/ql-for-ql-build.yml
vendored
2
.github/workflows/ql-for-ql-build.yml
vendored
@@ -32,7 +32,7 @@ jobs:
|
||||
path: |
|
||||
ql/extractor-pack/
|
||||
ql/target/release/buramu
|
||||
key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-extractor-${{ hashFiles('ql/**/Cargo.lock') }}-${{ hashFiles('ql/**/*.rs') }}
|
||||
key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-extractor-${{ hashFiles('ql/**/Cargo.lock') }}-${{ hashFiles('shared/tree-sitter-extractor') }}-${{ hashFiles('ql/**/*.rs') }}
|
||||
- name: Cache cargo
|
||||
if: steps.cache-extractor.outputs.cache-hit != 'true'
|
||||
uses: actions/cache@v3
|
||||
|
||||
2
.github/workflows/ruby-build.yml
vendored
2
.github/workflows/ruby-build.yml
vendored
@@ -61,7 +61,7 @@ jobs:
|
||||
ruby/extractor/target/release/codeql-extractor-ruby
|
||||
ruby/extractor/target/release/codeql-extractor-ruby.exe
|
||||
ruby/extractor/ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
|
||||
key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-ruby-extractor-${{ hashFiles('ruby/extractor/rust-toolchain.toml', 'ruby/extractor/Cargo.lock') }}--${{ hashFiles('ruby/extractor/**/*.rs') }}
|
||||
key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-ruby-extractor-${{ hashFiles('ruby/extractor/rust-toolchain.toml', 'ruby/extractor/Cargo.lock') }}-${{ hashFiles('shared/tree-sitter-extractor') }}-${{ hashFiles('ruby/extractor/**/*.rs') }}
|
||||
- uses: actions/cache@v3
|
||||
if: steps.cache-extractor.outputs.cache-hit != 'true'
|
||||
with:
|
||||
|
||||
2
.github/workflows/sync-files.yml
vendored
2
.github/workflows/sync-files.yml
vendored
@@ -17,4 +17,6 @@ jobs:
|
||||
- uses: actions/checkout@v3
|
||||
- name: Check synchronized files
|
||||
run: python config/sync-files.py
|
||||
- name: Check dbscheme fragments
|
||||
run: python config/sync-dbscheme-fragments.py
|
||||
|
||||
|
||||
33
config/dbscheme-fragments.json
Normal file
33
config/dbscheme-fragments.json
Normal file
@@ -0,0 +1,33 @@
|
||||
{
|
||||
"files": [
|
||||
"javascript/ql/lib/semmlecode.javascript.dbscheme",
|
||||
"python/ql/lib/semmlecode.python.dbscheme",
|
||||
"ruby/ql/lib/ruby.dbscheme",
|
||||
"ql/ql/src/ql.dbscheme"
|
||||
],
|
||||
"fragments": [
|
||||
"/*- External data -*/",
|
||||
"/*- Files and folders -*/",
|
||||
"/*- Diagnostic messages -*/",
|
||||
"/*- Diagnostic messages: severity -*/",
|
||||
"/*- Source location prefix -*/",
|
||||
"/*- Lines of code -*/",
|
||||
"/*- Configuration files with key value pairs -*/",
|
||||
"/*- YAML -*/",
|
||||
"/*- XML Files -*/",
|
||||
"/*- XML: sourceline -*/",
|
||||
"/*- DEPRECATED: External defects and metrics -*/",
|
||||
"/*- DEPRECATED: Snapshot date -*/",
|
||||
"/*- DEPRECATED: Duplicate code -*/",
|
||||
"/*- DEPRECATED: Version control data -*/",
|
||||
"/*- JavaScript-specific part -*/",
|
||||
"/*- Ruby dbscheme -*/",
|
||||
"/*- Erb dbscheme -*/",
|
||||
"/*- QL dbscheme -*/",
|
||||
"/*- Dbscheme dbscheme -*/",
|
||||
"/*- Yaml dbscheme -*/",
|
||||
"/*- Blame dbscheme -*/",
|
||||
"/*- JSON dbscheme -*/",
|
||||
"/*- Python dbscheme -*/"
|
||||
]
|
||||
}
|
||||
86
config/sync-dbscheme-fragments.py
Executable file
86
config/sync-dbscheme-fragments.py
Executable file
@@ -0,0 +1,86 @@
|
||||
#!/usr/bin/env python3
|
||||
|
||||
import argparse
|
||||
import json
|
||||
import os
|
||||
import pathlib
|
||||
import re
|
||||
|
||||
|
||||
def make_groups(blocks):
|
||||
groups = {}
|
||||
for block in blocks:
|
||||
groups.setdefault("".join(block["lines"]), []).append(block)
|
||||
return list(groups.values())
|
||||
|
||||
|
||||
def validate_fragments(fragments):
|
||||
ok = True
|
||||
for header, blocks in fragments.items():
|
||||
groups = make_groups(blocks)
|
||||
if len(groups) > 1:
|
||||
ok = False
|
||||
print("Warning: dbscheme fragments with header '{}' are different for {}".format(header, ["{}:{}:{}".format(
|
||||
group[0]["file"], group[0]["start"], group[0]["end"]) for group in groups]))
|
||||
return ok
|
||||
|
||||
|
||||
def main():
|
||||
script_path = os.path.realpath(__file__)
|
||||
script_dir = os.path.dirname(script_path)
|
||||
parser = argparse.ArgumentParser(
|
||||
prog=os.path.basename(script_path),
|
||||
description='Sync dbscheme fragments across files.'
|
||||
)
|
||||
parser.add_argument('files', metavar='dbscheme_file', type=pathlib.Path, nargs='*', default=[],
|
||||
help='dbscheme files to check')
|
||||
args = parser.parse_args()
|
||||
|
||||
with open(os.path.join(script_dir, "dbscheme-fragments.json"), "r") as f:
|
||||
config = json.load(f)
|
||||
|
||||
fragment_headers = set(config["fragments"])
|
||||
fragments = {}
|
||||
ok = True
|
||||
for file in args.files + config["files"]:
|
||||
with open(os.path.join(os.path.dirname(script_dir), file), "r") as dbscheme:
|
||||
header = None
|
||||
line_number = 1
|
||||
block = {"file": file, "start": line_number,
|
||||
"end": None, "lines": []}
|
||||
|
||||
def end_block():
|
||||
block["end"] = line_number - 1
|
||||
if len(block["lines"]) > 0:
|
||||
if header is None:
|
||||
if re.match(r'(?m)\A(\s|//.*$|/\*(\**[^\*])*\*+/)*\Z', "".join(block["lines"])):
|
||||
# Ignore comments at the beginning of the file
|
||||
pass
|
||||
else:
|
||||
ok = False
|
||||
print("Warning: dbscheme fragment without header: {}:{}:{}".format(
|
||||
block["file"], block["start"], block["end"]))
|
||||
else:
|
||||
fragments.setdefault(header, []).append(block)
|
||||
for line in dbscheme:
|
||||
m = re.match(r"^\/\*-.*-\*\/$", line)
|
||||
if m:
|
||||
end_block()
|
||||
header = line.strip()
|
||||
if header not in fragment_headers:
|
||||
ok = False
|
||||
print("Warning: unknown header for dbscheme fragment: '{}': {}:{}".format(
|
||||
header, file, line_number))
|
||||
block = {"file": file, "start": line_number,
|
||||
"end": None, "lines": []}
|
||||
block["lines"].append(line)
|
||||
line_number += 1
|
||||
block["lines"].append('\n')
|
||||
line_number += 1
|
||||
end_block()
|
||||
if not ok or not validate_fragments(fragments):
|
||||
exit(1)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
@@ -210,8 +210,8 @@ class IndirectOperand extends Node {
|
||||
this.(RawIndirectOperand).getOperand() = operand and
|
||||
this.(RawIndirectOperand).getIndirectionIndex() = indirectionIndex
|
||||
or
|
||||
this.(OperandNode).getOperand() =
|
||||
Ssa::getIRRepresentationOfIndirectOperand(operand, indirectionIndex)
|
||||
nodeHasOperand(this, Ssa::getIRRepresentationOfIndirectOperand(operand, indirectionIndex),
|
||||
indirectionIndex - 1)
|
||||
}
|
||||
|
||||
/** Gets the underlying operand. */
|
||||
@@ -250,8 +250,8 @@ class IndirectInstruction extends Node {
|
||||
this.(RawIndirectInstruction).getInstruction() = instr and
|
||||
this.(RawIndirectInstruction).getIndirectionIndex() = indirectionIndex
|
||||
or
|
||||
this.(InstructionNode).getInstruction() =
|
||||
Ssa::getIRRepresentationOfIndirectInstruction(instr, indirectionIndex)
|
||||
nodeHasInstruction(this, Ssa::getIRRepresentationOfIndirectInstruction(instr, indirectionIndex),
|
||||
indirectionIndex - 1)
|
||||
}
|
||||
|
||||
/** Gets the underlying instruction. */
|
||||
|
||||
@@ -1640,8 +1640,15 @@ predicate localInstructionFlow(Instruction e1, Instruction e2) {
|
||||
localFlow(instructionNode(e1), instructionNode(e2))
|
||||
}
|
||||
|
||||
/**
|
||||
* INTERNAL: Do not use.
|
||||
*
|
||||
* Ideally this module would be private, but the `asExprInternal` predicate is
|
||||
* needed in `DefaultTaintTrackingImpl`. Once `DefaultTaintTrackingImpl` is gone
|
||||
* we can make this module private.
|
||||
*/
|
||||
cached
|
||||
private module ExprFlowCached {
|
||||
module ExprFlowCached {
|
||||
/**
|
||||
* Holds if `n` is an indirect operand of a `PointerArithmeticInstruction`, and
|
||||
* `e` is the result of loading from the `PointerArithmeticInstruction`.
|
||||
@@ -1692,7 +1699,8 @@ private module ExprFlowCached {
|
||||
* `x[i]` steps to the expression `x[i - 1]` without traversing the
|
||||
* entire chain.
|
||||
*/
|
||||
private Expr asExpr(Node n) {
|
||||
cached
|
||||
Expr asExprInternal(Node n) {
|
||||
isIndirectBaseOfArrayAccess(n, result)
|
||||
or
|
||||
not isIndirectBaseOfArrayAccess(n, _) and
|
||||
@@ -1704,7 +1712,7 @@ private module ExprFlowCached {
|
||||
* dataflow step.
|
||||
*/
|
||||
private predicate localStepFromNonExpr(Node n1, Node n2) {
|
||||
not exists(asExpr(n1)) and
|
||||
not exists(asExprInternal(n1)) and
|
||||
localFlowStep(n1, n2)
|
||||
}
|
||||
|
||||
@@ -1715,7 +1723,7 @@ private module ExprFlowCached {
|
||||
pragma[nomagic]
|
||||
private predicate localStepsToExpr(Node n1, Node n2, Expr e2) {
|
||||
localStepFromNonExpr*(n1, n2) and
|
||||
e2 = asExpr(n2)
|
||||
e2 = asExprInternal(n2)
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -1726,7 +1734,7 @@ private module ExprFlowCached {
|
||||
exists(Node mid |
|
||||
localFlowStep(n1, mid) and
|
||||
localStepsToExpr(mid, n2, e2) and
|
||||
e1 = asExpr(n1)
|
||||
e1 = asExprInternal(n1)
|
||||
)
|
||||
}
|
||||
|
||||
|
||||
@@ -60,7 +60,7 @@ private DataFlow::Node getNodeForSource(Expr source) {
|
||||
}
|
||||
|
||||
private DataFlow::Node getNodeForExpr(Expr node) {
|
||||
result = DataFlow::exprNode(node)
|
||||
node = DataFlow::ExprFlowCached::asExprInternal(result)
|
||||
or
|
||||
// Some of the sources in `isUserInput` are intended to match the value of
|
||||
// an expression, while others (those modeled below) are intended to match
|
||||
@@ -221,7 +221,7 @@ private module Cached {
|
||||
predicate nodeIsBarrierIn(DataFlow::Node node) {
|
||||
// don't use dataflow into taint sources, as this leads to duplicate results.
|
||||
exists(Expr source | isUserInput(source, _) |
|
||||
node = DataFlow::exprNode(source)
|
||||
source = DataFlow::ExprFlowCached::asExprInternal(node)
|
||||
or
|
||||
// This case goes together with the similar (but not identical) rule in
|
||||
// `getNodeForSource`.
|
||||
|
||||
@@ -0,0 +1,38 @@
|
||||
/**
|
||||
* Print the dataflow local store steps in IR dumps.
|
||||
*/
|
||||
|
||||
private import cpp
|
||||
private import semmle.code.cpp.ir.IR
|
||||
private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
|
||||
private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
|
||||
private import PrintIRUtilities
|
||||
|
||||
/** A property provider for local IR dataflow store steps. */
|
||||
class FieldFlowPropertyProvider extends IRPropertyProvider {
|
||||
override string getOperandProperty(Operand operand, string key) {
|
||||
exists(PostFieldUpdateNode pfun, Content content |
|
||||
key = "store " + content.toString() and
|
||||
operand = pfun.getPreUpdateNode().(IndirectOperand).getOperand() and
|
||||
result =
|
||||
strictconcat(string element, Node node |
|
||||
storeStep(node, content, pfun) and
|
||||
element = nodeId(node, _, _)
|
||||
|
|
||||
element, ", "
|
||||
)
|
||||
)
|
||||
or
|
||||
exists(Node node2, Content content |
|
||||
key = "read " + content.toString() and
|
||||
operand = node2.(IndirectOperand).getOperand() and
|
||||
result =
|
||||
strictconcat(string element, Node node1 |
|
||||
readStep(node1, content, node2) and
|
||||
element = nodeId(node1, _, _)
|
||||
|
|
||||
element, ", "
|
||||
)
|
||||
)
|
||||
}
|
||||
}
|
||||
@@ -1,119 +1,44 @@
|
||||
private import cpp
|
||||
// The `ValueNumbering` library has to be imported right after `cpp` to ensure
|
||||
// that the cached IR gets the same checksum here as it does in queries that use
|
||||
// `ValueNumbering` without `DataFlow`.
|
||||
private import semmle.code.cpp.ir.ValueNumbering
|
||||
private import semmle.code.cpp.ir.IR
|
||||
private import semmle.code.cpp.ir.dataflow.DataFlow
|
||||
private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
|
||||
private import SsaInternals as Ssa
|
||||
private import PrintIRUtilities
|
||||
|
||||
/**
|
||||
* Gets the local dataflow from other nodes in the same function to this node.
|
||||
*/
|
||||
private string getFromFlow(DataFlow::Node useNode, int order1, int order2) {
|
||||
exists(DataFlow::Node defNode, string prefix |
|
||||
(
|
||||
simpleLocalFlowStep(defNode, useNode) and prefix = ""
|
||||
or
|
||||
any(DataFlow::Configuration cfg).isAdditionalFlowStep(defNode, useNode) and
|
||||
defNode.getEnclosingCallable() = useNode.getEnclosingCallable() and
|
||||
prefix = "+"
|
||||
) and
|
||||
if defNode.asInstruction() = useNode.asOperand().getAnyDef()
|
||||
then
|
||||
// Shorthand for flow from the def of this operand.
|
||||
result = prefix + "def" and
|
||||
order1 = -1 and
|
||||
order2 = 0
|
||||
else
|
||||
if defNode.asOperand().getUse() = useNode.asInstruction()
|
||||
then
|
||||
// Shorthand for flow from an operand of this instruction
|
||||
result = prefix + defNode.asOperand().getDumpId() and
|
||||
order1 = -1 and
|
||||
order2 = defNode.asOperand().getDumpSortOrder()
|
||||
else result = prefix + nodeId(defNode, order1, order2)
|
||||
private string getFromFlow(Node node2, int order1, int order2) {
|
||||
exists(Node node1 |
|
||||
simpleLocalFlowStep(node1, node2) and
|
||||
result = nodeId(node1, order1, order2)
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the local dataflow from this node to other nodes in the same function.
|
||||
*/
|
||||
private string getToFlow(DataFlow::Node defNode, int order1, int order2) {
|
||||
exists(DataFlow::Node useNode, string prefix |
|
||||
(
|
||||
simpleLocalFlowStep(defNode, useNode) and prefix = ""
|
||||
or
|
||||
any(DataFlow::Configuration cfg).isAdditionalFlowStep(defNode, useNode) and
|
||||
defNode.getEnclosingCallable() = useNode.getEnclosingCallable() and
|
||||
prefix = "+"
|
||||
) and
|
||||
if useNode.asInstruction() = defNode.asOperand().getUse()
|
||||
then
|
||||
// Shorthand for flow to this operand's instruction.
|
||||
result = prefix + "result" and
|
||||
order1 = -1 and
|
||||
order2 = 0
|
||||
else result = prefix + nodeId(useNode, order1, order2)
|
||||
private string getToFlow(Node node1, int order1, int order2) {
|
||||
exists(Node node2 |
|
||||
simpleLocalFlowStep(node1, node2) and
|
||||
result = nodeId(node2, order1, order2)
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the properties of the dataflow node `node`.
|
||||
*/
|
||||
private string getNodeProperty(DataFlow::Node node, string key) {
|
||||
private string getNodeProperty(Node node, string key) {
|
||||
// List dataflow into and out of this node. Flow into this node is printed as `src->@`, and flow
|
||||
// out of this node is printed as `@->dest`.
|
||||
key = "flow" and
|
||||
result =
|
||||
strictconcat(string flow, boolean to, int order1, int order2 |
|
||||
flow = getFromFlow(node, order1, order2) + "->@" and to = false
|
||||
flow = getFromFlow(node, order1, order2) + "->" + starsForNode(node) + "@" and to = false
|
||||
or
|
||||
flow = "@->" + getToFlow(node, order1, order2) and to = true
|
||||
flow = starsForNode(node) + "@->" + getToFlow(node, order1, order2) and to = true
|
||||
|
|
||||
flow, ", " order by to, order1, order2, flow
|
||||
)
|
||||
or
|
||||
// Is this node a dataflow sink?
|
||||
key = "sink" and
|
||||
any(DataFlow::Configuration cfg).isSink(node) and
|
||||
result = "true"
|
||||
or
|
||||
// Is this node a dataflow source?
|
||||
key = "source" and
|
||||
any(DataFlow::Configuration cfg).isSource(node) and
|
||||
result = "true"
|
||||
or
|
||||
// Is this node a dataflow barrier, and if so, what kind?
|
||||
key = "barrier" and
|
||||
result =
|
||||
strictconcat(string kind |
|
||||
any(DataFlow::Configuration cfg).isBarrier(node) and kind = "full"
|
||||
or
|
||||
any(DataFlow::Configuration cfg).isBarrierIn(node) and kind = "in"
|
||||
or
|
||||
any(DataFlow::Configuration cfg).isBarrierOut(node) and kind = "out"
|
||||
|
|
||||
kind, ", "
|
||||
)
|
||||
// or
|
||||
// // Is there partial flow from a source to this node?
|
||||
// // This property will only be emitted if partial flow is enabled by overriding
|
||||
// // `DataFlow::Configuration::explorationLimit()`.
|
||||
// key = "pflow" and
|
||||
// result =
|
||||
// strictconcat(DataFlow::PartialPathNode sourceNode, DataFlow::PartialPathNode destNode, int dist,
|
||||
// int order1, int order2 |
|
||||
// any(DataFlow::Configuration cfg).hasPartialFlow(sourceNode, destNode, dist) and
|
||||
// destNode.getNode() = node and
|
||||
// // Only print flow from a source in the same function.
|
||||
// sourceNode.getNode().getEnclosingCallable() = node.getEnclosingCallable()
|
||||
// |
|
||||
// nodeId(sourceNode.getNode(), order1, order2) + "+" + dist.toString(), ", "
|
||||
// order by
|
||||
// order1, order2, dist desc
|
||||
// )
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -121,16 +46,21 @@ private string getNodeProperty(DataFlow::Node node, string key) {
|
||||
*/
|
||||
class LocalFlowPropertyProvider extends IRPropertyProvider {
|
||||
override string getOperandProperty(Operand operand, string key) {
|
||||
exists(DataFlow::Node node |
|
||||
operand = node.asOperand() and
|
||||
exists(Node node |
|
||||
operand = [node.asOperand(), node.(RawIndirectOperand).getOperand()] and
|
||||
result = getNodeProperty(node, key)
|
||||
)
|
||||
}
|
||||
|
||||
override string getInstructionProperty(Instruction instruction, string key) {
|
||||
exists(DataFlow::Node node |
|
||||
instruction = node.asInstruction() and
|
||||
exists(Node node |
|
||||
instruction = [node.asInstruction(), node.(RawIndirectInstruction).getInstruction()]
|
||||
|
|
||||
result = getNodeProperty(node, key)
|
||||
)
|
||||
}
|
||||
|
||||
override predicate shouldPrintOperand(Operand operand) { not Ssa::ignoreOperand(operand) }
|
||||
|
||||
override predicate shouldPrintInstruction(Instruction instr) { not Ssa::ignoreInstruction(instr) }
|
||||
}
|
||||
|
||||
@@ -1,33 +0,0 @@
|
||||
/**
|
||||
* Print the dataflow local store steps in IR dumps.
|
||||
*/
|
||||
|
||||
private import cpp
|
||||
// The `ValueNumbering` library has to be imported right after `cpp` to ensure
|
||||
// that the cached IR gets the same checksum here as it does in queries that use
|
||||
// `ValueNumbering` without `DataFlow`.
|
||||
private import semmle.code.cpp.ir.ValueNumbering
|
||||
private import semmle.code.cpp.ir.IR
|
||||
private import semmle.code.cpp.ir.dataflow.DataFlow
|
||||
private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
|
||||
private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
|
||||
private import PrintIRUtilities
|
||||
|
||||
/**
|
||||
* Property provider for local IR dataflow store steps.
|
||||
*/
|
||||
class LocalFlowPropertyProvider extends IRPropertyProvider {
|
||||
override string getInstructionProperty(Instruction instruction, string key) {
|
||||
exists(DataFlow::Node objectNode, Content content |
|
||||
key = "content[" + content.toString() + "]" and
|
||||
instruction = objectNode.asInstruction() and
|
||||
result =
|
||||
strictconcat(string element, DataFlow::Node fieldNode |
|
||||
storeStep(fieldNode, content, objectNode) and
|
||||
element = nodeId(fieldNode, _, _)
|
||||
|
|
||||
element, ", "
|
||||
)
|
||||
)
|
||||
}
|
||||
}
|
||||
@@ -3,37 +3,59 @@
|
||||
*/
|
||||
|
||||
private import cpp
|
||||
// The `ValueNumbering` library has to be imported right after `cpp` to ensure
|
||||
// that the cached IR gets the same checksum here as it does in queries that use
|
||||
// `ValueNumbering` without `DataFlow`.
|
||||
private import semmle.code.cpp.ir.ValueNumbering
|
||||
private import semmle.code.cpp.ir.IR
|
||||
private import semmle.code.cpp.ir.dataflow.DataFlow
|
||||
private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
|
||||
private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
|
||||
|
||||
private string stars(int k) {
|
||||
k =
|
||||
[0 .. max([
|
||||
any(RawIndirectInstruction n).getIndirectionIndex(),
|
||||
any(RawIndirectOperand n).getIndirectionIndex()
|
||||
]
|
||||
)] and
|
||||
(if k = 0 then result = "" else result = "*" + stars(k - 1))
|
||||
}
|
||||
|
||||
string starsForNode(Node node) {
|
||||
result = stars(node.(IndirectInstruction).getIndirectionIndex())
|
||||
or
|
||||
result = stars(node.(IndirectOperand).getIndirectionIndex())
|
||||
or
|
||||
not node instanceof IndirectInstruction and
|
||||
not node instanceof IndirectOperand and
|
||||
result = ""
|
||||
}
|
||||
|
||||
private Instruction getInstruction(Node n, string stars) {
|
||||
result = [n.asInstruction(), n.(RawIndirectInstruction).getInstruction()] and
|
||||
stars = starsForNode(n)
|
||||
}
|
||||
|
||||
private Operand getOperand(Node n, string stars) {
|
||||
result = [n.asOperand(), n.(RawIndirectOperand).getOperand()] and
|
||||
stars = starsForNode(n)
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets a short ID for an IR dataflow node.
|
||||
* - For `Instruction`s, this is just the result ID of the instruction (e.g. `m128`).
|
||||
* - For `Operand`s, this is the label of the operand, prefixed with the result ID of the
|
||||
* instruction and a dot (e.g. `m128.left`).
|
||||
* - For `Variable`s, this is the qualified name of the variable.
|
||||
*/
|
||||
string nodeId(DataFlow::Node node, int order1, int order2) {
|
||||
exists(Instruction instruction | instruction = node.asInstruction() |
|
||||
result = instruction.getResultId() and
|
||||
string nodeId(Node node, int order1, int order2) {
|
||||
exists(Instruction instruction, string stars | instruction = getInstruction(node, stars) |
|
||||
result = stars + instruction.getResultId() and
|
||||
order1 = instruction.getBlock().getDisplayIndex() and
|
||||
order2 = instruction.getDisplayIndexInBlock()
|
||||
)
|
||||
or
|
||||
exists(Operand operand, Instruction instruction |
|
||||
operand = node.asOperand() and
|
||||
exists(Operand operand, Instruction instruction, string stars |
|
||||
operand = getOperand(node, stars) and
|
||||
instruction = operand.getUse()
|
||||
|
|
||||
result = instruction.getResultId() + "." + operand.getDumpId() and
|
||||
result = stars + instruction.getResultId() + "." + operand.getDumpId() and
|
||||
order1 = instruction.getBlock().getDisplayIndex() and
|
||||
order2 = instruction.getDisplayIndexInBlock()
|
||||
)
|
||||
or
|
||||
result = "var(" + node.asVariable().getQualifiedName() + ")" and
|
||||
order1 = 1000000 and
|
||||
order2 = 0
|
||||
}
|
||||
|
||||
@@ -1,10 +1,29 @@
|
||||
import semmle.code.cpp.ir.dataflow.DataFlow
|
||||
private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
|
||||
private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
|
||||
private import semmle.code.cpp.ir.dataflow.internal.DataFlowImplCommon
|
||||
/**
|
||||
* Provides a library for global (inter-procedural) data flow analysis of two
|
||||
* values "simultaneously". This can be used, for example, if you want to track
|
||||
* a memory allocation as well as the size of the allocation.
|
||||
*
|
||||
* Intuitively, you can think of this as regular dataflow, but where each node
|
||||
* in the dataflow graph has been replaced by a pair of nodes `(node1, node2)`,
|
||||
* and two node pairs `(n11, n12)`, `(n21, n22)` is then connected by a dataflow
|
||||
* edge if there's a regular dataflow edge between `n11` and `n21`, and `n12`
|
||||
* and `n22`.
|
||||
*
|
||||
* Note that the above intuition does not reflect the actual implementation.
|
||||
*/
|
||||
|
||||
import semmle.code.cpp.dataflow.new.DataFlow
|
||||
private import DataFlowPrivate
|
||||
private import DataFlowUtil
|
||||
private import DataFlowImplCommon
|
||||
private import codeql.util.Unit
|
||||
|
||||
/**
|
||||
* Provides classes for performing global (inter-procedural) data flow analyses
|
||||
* on a product dataflow graph.
|
||||
*/
|
||||
module ProductFlow {
|
||||
/** An input configuration for product data-flow. */
|
||||
signature module ConfigSig {
|
||||
/**
|
||||
* Holds if `(source1, source2)` is a relevant data flow source.
|
||||
@@ -70,6 +89,9 @@ module ProductFlow {
|
||||
default predicate isBarrierIn2(DataFlow::Node node) { none() }
|
||||
}
|
||||
|
||||
/**
|
||||
* The output of a global data flow computation.
|
||||
*/
|
||||
module Global<ConfigSig Config> {
|
||||
private module StateConfig implements StateConfigSig {
|
||||
class FlowState1 = Unit;
|
||||
@@ -138,6 +160,7 @@ module ProductFlow {
|
||||
import GlobalWithState<StateConfig>
|
||||
}
|
||||
|
||||
/** An input configuration for data flow using flow state. */
|
||||
signature module StateConfigSig {
|
||||
bindingset[this]
|
||||
class FlowState1;
|
||||
@@ -247,6 +270,9 @@ module ProductFlow {
|
||||
default predicate isBarrierIn2(DataFlow::Node node) { none() }
|
||||
}
|
||||
|
||||
/**
|
||||
* The output of a global data flow computation.
|
||||
*/
|
||||
module GlobalWithState<StateConfigSig Config> {
|
||||
class PathNode1 = Flow1::PathNode;
|
||||
|
||||
@@ -260,6 +286,7 @@ module ProductFlow {
|
||||
|
||||
class FlowState2 = Config::FlowState2;
|
||||
|
||||
/** Holds if data can flow from `(source1, source2)` to `(sink1, sink2)`. */
|
||||
predicate flowPath(
|
||||
Flow1::PathNode source1, Flow2::PathNode source2, Flow1::PathNode sink1, Flow2::PathNode sink2
|
||||
) {
|
||||
@@ -77,4 +77,16 @@ class IRPropertyProvider extends TIRPropertyProvider {
|
||||
* Gets the value of the property named `key` for the specified operand.
|
||||
*/
|
||||
string getOperandProperty(Operand operand, string key) { none() }
|
||||
|
||||
/**
|
||||
* Holds if the instruction `instr` should be included when printing
|
||||
* the IR instructions.
|
||||
*/
|
||||
predicate shouldPrintInstruction(Instruction instr) { any() }
|
||||
|
||||
/**
|
||||
* Holds if the operand `operand` should be included when printing the an
|
||||
* instruction's operand list.
|
||||
*/
|
||||
predicate shouldPrintOperand(Operand operand) { any() }
|
||||
}
|
||||
|
||||
@@ -255,14 +255,28 @@ private module Cached {
|
||||
cached
|
||||
newtype TIRBlock = MkIRBlock(Instruction firstInstr) { startsBasicBlock(firstInstr) }
|
||||
|
||||
/** Holds if `i` is the `index`th instruction the block starting with `first`. */
|
||||
private Instruction getInstructionFromFirst(Instruction first, int index) =
|
||||
shortestDistances(startsBasicBlock/1, adjacentInBlock/2)(first, result, index)
|
||||
/** Gets the index of `i` in its `IRBlock`. */
|
||||
private int getMemberIndex(Instruction i) {
|
||||
startsBasicBlock(i) and
|
||||
result = 0
|
||||
or
|
||||
exists(Instruction iPrev |
|
||||
adjacentInBlock(iPrev, i) and
|
||||
result = getMemberIndex(iPrev) + 1
|
||||
)
|
||||
}
|
||||
|
||||
private module BlockAdjacency = QlBuiltins::EquivalenceRelation<Instruction, adjacentInBlock/2>;
|
||||
|
||||
/** Holds if `i` is the `index`th instruction in `block`. */
|
||||
cached
|
||||
Instruction getInstruction(TIRBlock block, int index) {
|
||||
result = getInstructionFromFirst(getFirstInstruction(block), index)
|
||||
exists(Instruction first | block = MkIRBlock(first) |
|
||||
first = result and index = 0
|
||||
or
|
||||
index = getMemberIndex(result) and
|
||||
BlockAdjacency::getEquivalenceClass(first) = BlockAdjacency::getEquivalenceClass(result)
|
||||
)
|
||||
}
|
||||
|
||||
cached
|
||||
|
||||
@@ -42,6 +42,14 @@ private predicate shouldPrintFunction(Language::Declaration decl) {
|
||||
exists(PrintIRConfiguration config | config.shouldPrintFunction(decl))
|
||||
}
|
||||
|
||||
private predicate shouldPrintInstruction(Instruction i) {
|
||||
exists(IRPropertyProvider provider | provider.shouldPrintInstruction(i))
|
||||
}
|
||||
|
||||
private predicate shouldPrintOperand(Operand operand) {
|
||||
exists(IRPropertyProvider provider | provider.shouldPrintOperand(operand))
|
||||
}
|
||||
|
||||
private string getAdditionalInstructionProperty(Instruction instr, string key) {
|
||||
exists(IRPropertyProvider provider | result = provider.getInstructionProperty(instr, key))
|
||||
}
|
||||
@@ -84,7 +92,9 @@ private string getOperandPropertyString(Operand operand) {
|
||||
private newtype TPrintableIRNode =
|
||||
TPrintableIRFunction(IRFunction irFunc) { shouldPrintFunction(irFunc.getFunction()) } or
|
||||
TPrintableIRBlock(IRBlock block) { shouldPrintFunction(block.getEnclosingFunction()) } or
|
||||
TPrintableInstruction(Instruction instr) { shouldPrintFunction(instr.getEnclosingFunction()) }
|
||||
TPrintableInstruction(Instruction instr) {
|
||||
shouldPrintInstruction(instr) and shouldPrintFunction(instr.getEnclosingFunction())
|
||||
}
|
||||
|
||||
/**
|
||||
* A node to be emitted in the IR graph.
|
||||
@@ -252,7 +262,8 @@ private class PrintableInstruction extends PrintableIRNode, TPrintableInstructio
|
||||
private string getOperandsString() {
|
||||
result =
|
||||
concat(Operand operand |
|
||||
operand = instr.getAnOperand()
|
||||
operand = instr.getAnOperand() and
|
||||
shouldPrintOperand(operand)
|
||||
|
|
||||
operand.getDumpString() + getOperandPropertyString(operand), ", "
|
||||
order by
|
||||
|
||||
@@ -77,4 +77,16 @@ class IRPropertyProvider extends TIRPropertyProvider {
|
||||
* Gets the value of the property named `key` for the specified operand.
|
||||
*/
|
||||
string getOperandProperty(Operand operand, string key) { none() }
|
||||
|
||||
/**
|
||||
* Holds if the instruction `instr` should be included when printing
|
||||
* the IR instructions.
|
||||
*/
|
||||
predicate shouldPrintInstruction(Instruction instr) { any() }
|
||||
|
||||
/**
|
||||
* Holds if the operand `operand` should be included when printing the an
|
||||
* instruction's operand list.
|
||||
*/
|
||||
predicate shouldPrintOperand(Operand operand) { any() }
|
||||
}
|
||||
|
||||
@@ -255,14 +255,28 @@ private module Cached {
|
||||
cached
|
||||
newtype TIRBlock = MkIRBlock(Instruction firstInstr) { startsBasicBlock(firstInstr) }
|
||||
|
||||
/** Holds if `i` is the `index`th instruction the block starting with `first`. */
|
||||
private Instruction getInstructionFromFirst(Instruction first, int index) =
|
||||
shortestDistances(startsBasicBlock/1, adjacentInBlock/2)(first, result, index)
|
||||
/** Gets the index of `i` in its `IRBlock`. */
|
||||
private int getMemberIndex(Instruction i) {
|
||||
startsBasicBlock(i) and
|
||||
result = 0
|
||||
or
|
||||
exists(Instruction iPrev |
|
||||
adjacentInBlock(iPrev, i) and
|
||||
result = getMemberIndex(iPrev) + 1
|
||||
)
|
||||
}
|
||||
|
||||
private module BlockAdjacency = QlBuiltins::EquivalenceRelation<Instruction, adjacentInBlock/2>;
|
||||
|
||||
/** Holds if `i` is the `index`th instruction in `block`. */
|
||||
cached
|
||||
Instruction getInstruction(TIRBlock block, int index) {
|
||||
result = getInstructionFromFirst(getFirstInstruction(block), index)
|
||||
exists(Instruction first | block = MkIRBlock(first) |
|
||||
first = result and index = 0
|
||||
or
|
||||
index = getMemberIndex(result) and
|
||||
BlockAdjacency::getEquivalenceClass(first) = BlockAdjacency::getEquivalenceClass(result)
|
||||
)
|
||||
}
|
||||
|
||||
cached
|
||||
|
||||
@@ -42,6 +42,14 @@ private predicate shouldPrintFunction(Language::Declaration decl) {
|
||||
exists(PrintIRConfiguration config | config.shouldPrintFunction(decl))
|
||||
}
|
||||
|
||||
private predicate shouldPrintInstruction(Instruction i) {
|
||||
exists(IRPropertyProvider provider | provider.shouldPrintInstruction(i))
|
||||
}
|
||||
|
||||
private predicate shouldPrintOperand(Operand operand) {
|
||||
exists(IRPropertyProvider provider | provider.shouldPrintOperand(operand))
|
||||
}
|
||||
|
||||
private string getAdditionalInstructionProperty(Instruction instr, string key) {
|
||||
exists(IRPropertyProvider provider | result = provider.getInstructionProperty(instr, key))
|
||||
}
|
||||
@@ -84,7 +92,9 @@ private string getOperandPropertyString(Operand operand) {
|
||||
private newtype TPrintableIRNode =
|
||||
TPrintableIRFunction(IRFunction irFunc) { shouldPrintFunction(irFunc.getFunction()) } or
|
||||
TPrintableIRBlock(IRBlock block) { shouldPrintFunction(block.getEnclosingFunction()) } or
|
||||
TPrintableInstruction(Instruction instr) { shouldPrintFunction(instr.getEnclosingFunction()) }
|
||||
TPrintableInstruction(Instruction instr) {
|
||||
shouldPrintInstruction(instr) and shouldPrintFunction(instr.getEnclosingFunction())
|
||||
}
|
||||
|
||||
/**
|
||||
* A node to be emitted in the IR graph.
|
||||
@@ -252,7 +262,8 @@ private class PrintableInstruction extends PrintableIRNode, TPrintableInstructio
|
||||
private string getOperandsString() {
|
||||
result =
|
||||
concat(Operand operand |
|
||||
operand = instr.getAnOperand()
|
||||
operand = instr.getAnOperand() and
|
||||
shouldPrintOperand(operand)
|
||||
|
|
||||
operand.getDumpString() + getOperandPropertyString(operand), ", "
|
||||
order by
|
||||
|
||||
@@ -77,4 +77,16 @@ class IRPropertyProvider extends TIRPropertyProvider {
|
||||
* Gets the value of the property named `key` for the specified operand.
|
||||
*/
|
||||
string getOperandProperty(Operand operand, string key) { none() }
|
||||
|
||||
/**
|
||||
* Holds if the instruction `instr` should be included when printing
|
||||
* the IR instructions.
|
||||
*/
|
||||
predicate shouldPrintInstruction(Instruction instr) { any() }
|
||||
|
||||
/**
|
||||
* Holds if the operand `operand` should be included when printing the an
|
||||
* instruction's operand list.
|
||||
*/
|
||||
predicate shouldPrintOperand(Operand operand) { any() }
|
||||
}
|
||||
|
||||
@@ -255,14 +255,28 @@ private module Cached {
|
||||
cached
|
||||
newtype TIRBlock = MkIRBlock(Instruction firstInstr) { startsBasicBlock(firstInstr) }
|
||||
|
||||
/** Holds if `i` is the `index`th instruction the block starting with `first`. */
|
||||
private Instruction getInstructionFromFirst(Instruction first, int index) =
|
||||
shortestDistances(startsBasicBlock/1, adjacentInBlock/2)(first, result, index)
|
||||
/** Gets the index of `i` in its `IRBlock`. */
|
||||
private int getMemberIndex(Instruction i) {
|
||||
startsBasicBlock(i) and
|
||||
result = 0
|
||||
or
|
||||
exists(Instruction iPrev |
|
||||
adjacentInBlock(iPrev, i) and
|
||||
result = getMemberIndex(iPrev) + 1
|
||||
)
|
||||
}
|
||||
|
||||
private module BlockAdjacency = QlBuiltins::EquivalenceRelation<Instruction, adjacentInBlock/2>;
|
||||
|
||||
/** Holds if `i` is the `index`th instruction in `block`. */
|
||||
cached
|
||||
Instruction getInstruction(TIRBlock block, int index) {
|
||||
result = getInstructionFromFirst(getFirstInstruction(block), index)
|
||||
exists(Instruction first | block = MkIRBlock(first) |
|
||||
first = result and index = 0
|
||||
or
|
||||
index = getMemberIndex(result) and
|
||||
BlockAdjacency::getEquivalenceClass(first) = BlockAdjacency::getEquivalenceClass(result)
|
||||
)
|
||||
}
|
||||
|
||||
cached
|
||||
|
||||
@@ -42,6 +42,14 @@ private predicate shouldPrintFunction(Language::Declaration decl) {
|
||||
exists(PrintIRConfiguration config | config.shouldPrintFunction(decl))
|
||||
}
|
||||
|
||||
private predicate shouldPrintInstruction(Instruction i) {
|
||||
exists(IRPropertyProvider provider | provider.shouldPrintInstruction(i))
|
||||
}
|
||||
|
||||
private predicate shouldPrintOperand(Operand operand) {
|
||||
exists(IRPropertyProvider provider | provider.shouldPrintOperand(operand))
|
||||
}
|
||||
|
||||
private string getAdditionalInstructionProperty(Instruction instr, string key) {
|
||||
exists(IRPropertyProvider provider | result = provider.getInstructionProperty(instr, key))
|
||||
}
|
||||
@@ -84,7 +92,9 @@ private string getOperandPropertyString(Operand operand) {
|
||||
private newtype TPrintableIRNode =
|
||||
TPrintableIRFunction(IRFunction irFunc) { shouldPrintFunction(irFunc.getFunction()) } or
|
||||
TPrintableIRBlock(IRBlock block) { shouldPrintFunction(block.getEnclosingFunction()) } or
|
||||
TPrintableInstruction(Instruction instr) { shouldPrintFunction(instr.getEnclosingFunction()) }
|
||||
TPrintableInstruction(Instruction instr) {
|
||||
shouldPrintInstruction(instr) and shouldPrintFunction(instr.getEnclosingFunction())
|
||||
}
|
||||
|
||||
/**
|
||||
* A node to be emitted in the IR graph.
|
||||
@@ -252,7 +262,8 @@ private class PrintableInstruction extends PrintableIRNode, TPrintableInstructio
|
||||
private string getOperandsString() {
|
||||
result =
|
||||
concat(Operand operand |
|
||||
operand = instr.getAnOperand()
|
||||
operand = instr.getAnOperand() and
|
||||
shouldPrintOperand(operand)
|
||||
|
|
||||
operand.getDumpString() + getOperandPropertyString(operand), ", "
|
||||
order by
|
||||
|
||||
@@ -729,7 +729,7 @@ module RangeStage<
|
||||
) {
|
||||
exists(SemExpr e, D::Delta d1, D::Delta d2 |
|
||||
unequalFlowStepIntegralSsa(v, pos, e, d1, reason) and
|
||||
boundedUpper(e, b, d1) and
|
||||
boundedUpper(e, b, d2) and
|
||||
boundedLower(e, b, d2) and
|
||||
delta = D::fromFloat(D::toFloat(d1) + D::toFloat(d2))
|
||||
)
|
||||
|
||||
@@ -4,16 +4,17 @@
|
||||
* may result in a buffer overflow.
|
||||
* @kind path-problem
|
||||
* @problem.severity error
|
||||
* @security-severity 9.3
|
||||
* @precision medium
|
||||
* @id cpp/overrun-write
|
||||
* @tags reliability
|
||||
* security
|
||||
* experimental
|
||||
* external/cwe/cwe-119
|
||||
* external/cwe/cwe-131
|
||||
*/
|
||||
|
||||
import cpp
|
||||
import experimental.semmle.code.cpp.dataflow.ProductFlow
|
||||
import semmle.code.cpp.ir.dataflow.internal.ProductFlow
|
||||
import semmle.code.cpp.ir.IR
|
||||
import semmle.code.cpp.models.interfaces.Allocation
|
||||
import semmle.code.cpp.models.interfaces.ArrayFunction
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: newQuery
|
||||
---
|
||||
* Added a new query, `cpp/overrun-write`, to detect buffer overflows in C-style functions that manipulate buffers.
|
||||
@@ -10,7 +10,7 @@
|
||||
*/
|
||||
|
||||
import cpp
|
||||
import experimental.semmle.code.cpp.dataflow.ProductFlow
|
||||
import semmle.code.cpp.ir.dataflow.internal.ProductFlow
|
||||
import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.RangeAnalysis
|
||||
import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticExprSpecific
|
||||
import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.Bound
|
||||
|
||||
@@ -14,7 +14,7 @@ import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.RangeAnalysi
|
||||
import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticExprSpecific
|
||||
import semmle.code.cpp.ir.IR
|
||||
import semmle.code.cpp.ir.dataflow.DataFlow
|
||||
import PointerArithmeticToDerefFlow::PathGraph
|
||||
import FieldAddressToDerefFlow::PathGraph
|
||||
|
||||
pragma[nomagic]
|
||||
Instruction getABoundIn(SemBound b, IRFunction func) {
|
||||
@@ -42,21 +42,6 @@ bindingset[b]
|
||||
pragma[inline_late]
|
||||
predicate bounded2(Instruction i, Instruction b, int delta) { boundedImpl(i, b, delta) }
|
||||
|
||||
module FieldAddressToPointerArithmeticConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { isFieldAddressSource(_, source) }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(PointerAddInstruction pai | pai.getLeft() = sink.asInstruction())
|
||||
}
|
||||
}
|
||||
|
||||
module FieldAddressToPointerArithmeticFlow =
|
||||
DataFlow::Global<FieldAddressToPointerArithmeticConfig>;
|
||||
|
||||
predicate isFieldAddressSource(Field f, DataFlow::Node source) {
|
||||
source.asInstruction().(FieldAddressInstruction).getField() = f
|
||||
}
|
||||
|
||||
bindingset[delta]
|
||||
predicate isInvalidPointerDerefSinkImpl(
|
||||
int delta, Instruction i, AddressOperand addr, string operation
|
||||
@@ -93,38 +78,95 @@ predicate isInvalidPointerDerefSink2(DataFlow::Node sink, Instruction i, string
|
||||
)
|
||||
}
|
||||
|
||||
predicate isConstantSizeOverflowSource(Field f, PointerAddInstruction pai, int delta) {
|
||||
exists(int size, int bound, DataFlow::Node source, DataFlow::InstructionNode sink |
|
||||
FieldAddressToPointerArithmeticFlow::flow(source, sink) and
|
||||
isFieldAddressSource(f, source) and
|
||||
pai.getLeft() = sink.asInstruction() and
|
||||
f.getUnspecifiedType().(ArrayType).getArraySize() = size and
|
||||
semBounded(getSemanticExpr(pai.getRight()), any(SemZeroBound b), bound, true, _) and
|
||||
delta = bound - size and
|
||||
delta >= 0 and
|
||||
size != 0 and
|
||||
size != 1
|
||||
)
|
||||
pragma[nomagic]
|
||||
predicate arrayTypeHasSizes(ArrayType arr, int baseTypeSize, int arraySize) {
|
||||
arr.getBaseType().getSize() = baseTypeSize and
|
||||
arr.getArraySize() = arraySize
|
||||
}
|
||||
|
||||
predicate pointerArithOverflow0(
|
||||
PointerArithmeticInstruction pai, Field f, int size, int bound, int delta
|
||||
) {
|
||||
arrayTypeHasSizes(f.getUnspecifiedType(), pai.getElementSize(), size) and
|
||||
semBounded(getSemanticExpr(pai.getRight()), any(SemZeroBound b), bound, true, _) and
|
||||
delta = bound - size and
|
||||
delta >= 0 and
|
||||
size != 0 and
|
||||
size != 1
|
||||
}
|
||||
|
||||
module PointerArithmeticToDerefConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
isConstantSizeOverflowSource(_, source.asInstruction(), _)
|
||||
pointerArithOverflow0(source.asInstruction(), _, _, _, _)
|
||||
}
|
||||
|
||||
pragma[inline]
|
||||
predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
|
||||
|
||||
predicate isBarrierOut(DataFlow::Node node) { isSink(node) }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { isInvalidPointerDerefSink1(sink, _, _) }
|
||||
}
|
||||
|
||||
module PointerArithmeticToDerefFlow = DataFlow::Global<PointerArithmeticToDerefConfig>;
|
||||
|
||||
predicate pointerArithOverflow(
|
||||
PointerArithmeticInstruction pai, Field f, int size, int bound, int delta
|
||||
) {
|
||||
pointerArithOverflow0(pai, f, size, bound, delta) and
|
||||
PointerArithmeticToDerefFlow::flow(DataFlow::instructionNode(pai), _)
|
||||
}
|
||||
|
||||
module FieldAddressToDerefConfig implements DataFlow::StateConfigSig {
|
||||
newtype FlowState =
|
||||
additional TArray(Field f) { pointerArithOverflow(_, f, _, _, _) } or
|
||||
additional TOverflowArithmetic(PointerArithmeticInstruction pai) {
|
||||
pointerArithOverflow(pai, _, _, _, _)
|
||||
}
|
||||
|
||||
predicate isSource(DataFlow::Node source, FlowState state) {
|
||||
exists(Field f |
|
||||
source.asInstruction().(FieldAddressInstruction).getField() = f and
|
||||
state = TArray(f)
|
||||
)
|
||||
}
|
||||
|
||||
predicate isSink(DataFlow::Node sink, FlowState state) {
|
||||
exists(DataFlow::Node pai |
|
||||
state = TOverflowArithmetic(pai.asInstruction()) and
|
||||
PointerArithmeticToDerefFlow::flow(pai, sink)
|
||||
)
|
||||
}
|
||||
|
||||
predicate isBarrier(DataFlow::Node node, FlowState state) { none() }
|
||||
|
||||
predicate isBarrierIn(DataFlow::Node node) { isSource(node, _) }
|
||||
|
||||
predicate isBarrierOut(DataFlow::Node node) { isSink(node, _) }
|
||||
|
||||
predicate isAdditionalFlowStep(
|
||||
DataFlow::Node node1, FlowState state1, DataFlow::Node node2, FlowState state2
|
||||
) {
|
||||
exists(PointerArithmeticInstruction pai, Field f |
|
||||
state1 = TArray(f) and
|
||||
state2 = TOverflowArithmetic(pai) and
|
||||
pai.getLeft() = node1.asInstruction() and
|
||||
node2.asInstruction() = pai and
|
||||
pointerArithOverflow(pai, f, _, _, _)
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
module FieldAddressToDerefFlow = DataFlow::GlobalWithState<FieldAddressToDerefConfig>;
|
||||
|
||||
from
|
||||
Field f, PointerArithmeticToDerefFlow::PathNode source,
|
||||
PointerArithmeticToDerefFlow::PathNode sink, Instruction deref, string operation, int delta
|
||||
Field f, FieldAddressToDerefFlow::PathNode source, PointerArithmeticInstruction pai,
|
||||
FieldAddressToDerefFlow::PathNode sink, Instruction deref, string operation, int delta
|
||||
where
|
||||
PointerArithmeticToDerefFlow::flowPath(source, sink) and
|
||||
FieldAddressToDerefFlow::flowPath(source, sink) and
|
||||
isInvalidPointerDerefSink2(sink.getNode(), deref, operation) and
|
||||
isConstantSizeOverflowSource(f, source.getNode().asInstruction(), delta)
|
||||
select source, source, sink,
|
||||
source.getState() = FieldAddressToDerefConfig::TArray(f) and
|
||||
sink.getState() = FieldAddressToDerefConfig::TOverflowArithmetic(pai) and
|
||||
pointerArithOverflow(pai, f, _, _, delta)
|
||||
select pai, source, sink,
|
||||
"This pointer arithmetic may have an off-by-" + (delta + 1) +
|
||||
" error allowing it to overrun $@ at this $@.", f, f.getName(), deref, operation
|
||||
|
||||
@@ -16,7 +16,7 @@
|
||||
*/
|
||||
|
||||
import cpp
|
||||
import experimental.semmle.code.cpp.dataflow.ProductFlow
|
||||
import semmle.code.cpp.ir.dataflow.internal.ProductFlow
|
||||
import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.RangeAnalysis
|
||||
import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticExprSpecific
|
||||
import semmle.code.cpp.ir.IR
|
||||
|
||||
@@ -16,18 +16,16 @@ private import semmle.code.cpp.ir.dataflow.DataFlow::DataFlow as IRDataFlow
|
||||
private import semmle.code.cpp.dataflow.DataFlow::DataFlow as AstDataFlow
|
||||
import TestUtilities.InlineExpectationsTest
|
||||
|
||||
class IRFlowTest extends InlineExpectationsTest {
|
||||
IRFlowTest() { this = "IRFlowTest" }
|
||||
module IRFlowTest<IRDataFlow::GlobalFlowSig Flow> implements TestSig {
|
||||
string getARelevantTag() { result = "ir" }
|
||||
|
||||
override string getARelevantTag() { result = "ir" }
|
||||
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
exists(IRDataFlow::Node source, IRDataFlow::Node sink, IRDataFlow::Configuration conf, int n |
|
||||
predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
exists(IRDataFlow::Node source, IRDataFlow::Node sink, int n |
|
||||
tag = "ir" and
|
||||
conf.hasFlow(source, sink) and
|
||||
Flow::flow(source, sink) and
|
||||
n =
|
||||
strictcount(int line, int column |
|
||||
conf.hasFlow(any(IRDataFlow::Node otherSource |
|
||||
Flow::flow(any(IRDataFlow::Node otherSource |
|
||||
otherSource.hasLocationInfo(_, line, column, _, _)
|
||||
), sink)
|
||||
) and
|
||||
@@ -47,20 +45,16 @@ class IRFlowTest extends InlineExpectationsTest {
|
||||
}
|
||||
}
|
||||
|
||||
class AstFlowTest extends InlineExpectationsTest {
|
||||
AstFlowTest() { this = "ASTFlowTest" }
|
||||
module AstFlowTest<AstDataFlow::GlobalFlowSig Flow> implements TestSig {
|
||||
string getARelevantTag() { result = "ast" }
|
||||
|
||||
override string getARelevantTag() { result = "ast" }
|
||||
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
exists(
|
||||
AstDataFlow::Node source, AstDataFlow::Node sink, AstDataFlow::Configuration conf, int n
|
||||
|
|
||||
predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
exists(AstDataFlow::Node source, AstDataFlow::Node sink, int n |
|
||||
tag = "ast" and
|
||||
conf.hasFlow(source, sink) and
|
||||
Flow::flow(source, sink) and
|
||||
n =
|
||||
strictcount(int line, int column |
|
||||
conf.hasFlow(any(AstDataFlow::Node otherSource |
|
||||
Flow::flow(any(AstDataFlow::Node otherSource |
|
||||
otherSource.hasLocationInfo(_, line, column, _, _)
|
||||
), sink)
|
||||
) and
|
||||
@@ -79,6 +73,3 @@ class AstFlowTest extends InlineExpectationsTest {
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for AstFlowTest */
|
||||
deprecated class ASTFlowTest = AstFlowTest;
|
||||
|
||||
@@ -1 +0,0 @@
|
||||
experimental/Likely Bugs/OverrunWriteProductFlow.ql
|
||||
@@ -1,37 +1,46 @@
|
||||
edges
|
||||
| test.cpp:66:32:66:32 | p | test.cpp:66:32:66:32 | p |
|
||||
| test.cpp:66:32:66:32 | p | test.cpp:67:5:67:6 | * ... |
|
||||
| test.cpp:66:32:66:32 | p | test.cpp:67:6:67:6 | p |
|
||||
| test.cpp:35:10:35:12 | buf | test.cpp:35:5:35:22 | access to array |
|
||||
| test.cpp:36:10:36:12 | buf | test.cpp:36:5:36:24 | access to array |
|
||||
| test.cpp:43:14:43:16 | buf | test.cpp:43:9:43:19 | access to array |
|
||||
| test.cpp:49:10:49:12 | buf | test.cpp:49:5:49:22 | access to array |
|
||||
| test.cpp:50:10:50:12 | buf | test.cpp:50:5:50:24 | access to array |
|
||||
| test.cpp:57:14:57:16 | buf | test.cpp:57:9:57:19 | access to array |
|
||||
| test.cpp:61:14:61:16 | buf | test.cpp:61:9:61:19 | access to array |
|
||||
| test.cpp:70:33:70:33 | p | test.cpp:72:5:72:15 | access to array |
|
||||
| test.cpp:77:26:77:44 | & ... | test.cpp:66:32:66:32 | p |
|
||||
| test.cpp:77:26:77:44 | & ... | test.cpp:66:32:66:32 | p |
|
||||
| test.cpp:77:27:77:44 | access to array | test.cpp:77:26:77:44 | & ... |
|
||||
| test.cpp:77:32:77:34 | buf | test.cpp:77:26:77:44 | & ... |
|
||||
| test.cpp:79:27:79:34 | buf | test.cpp:70:33:70:33 | p |
|
||||
| test.cpp:79:32:79:34 | buf | test.cpp:79:27:79:34 | buf |
|
||||
nodes
|
||||
| test.cpp:35:5:35:22 | access to array | semmle.label | access to array |
|
||||
| test.cpp:35:10:35:12 | buf | semmle.label | buf |
|
||||
| test.cpp:36:5:36:24 | access to array | semmle.label | access to array |
|
||||
| test.cpp:36:10:36:12 | buf | semmle.label | buf |
|
||||
| test.cpp:43:9:43:19 | access to array | semmle.label | access to array |
|
||||
| test.cpp:43:14:43:16 | buf | semmle.label | buf |
|
||||
| test.cpp:49:5:49:22 | access to array | semmle.label | access to array |
|
||||
| test.cpp:49:10:49:12 | buf | semmle.label | buf |
|
||||
| test.cpp:50:5:50:24 | access to array | semmle.label | access to array |
|
||||
| test.cpp:50:10:50:12 | buf | semmle.label | buf |
|
||||
| test.cpp:57:9:57:19 | access to array | semmle.label | access to array |
|
||||
| test.cpp:57:14:57:16 | buf | semmle.label | buf |
|
||||
| test.cpp:61:9:61:19 | access to array | semmle.label | access to array |
|
||||
| test.cpp:61:14:61:16 | buf | semmle.label | buf |
|
||||
| test.cpp:66:32:66:32 | p | semmle.label | p |
|
||||
| test.cpp:66:32:66:32 | p | semmle.label | p |
|
||||
| test.cpp:66:32:66:32 | p | semmle.label | p |
|
||||
| test.cpp:67:5:67:6 | * ... | semmle.label | * ... |
|
||||
| test.cpp:67:6:67:6 | p | semmle.label | p |
|
||||
| test.cpp:70:33:70:33 | p | semmle.label | p |
|
||||
| test.cpp:72:5:72:15 | access to array | semmle.label | access to array |
|
||||
| test.cpp:77:26:77:44 | & ... | semmle.label | & ... |
|
||||
| test.cpp:77:27:77:44 | access to array | semmle.label | access to array |
|
||||
| test.cpp:77:32:77:34 | buf | semmle.label | buf |
|
||||
| test.cpp:79:27:79:34 | buf | semmle.label | buf |
|
||||
| test.cpp:79:32:79:34 | buf | semmle.label | buf |
|
||||
subpaths
|
||||
#select
|
||||
| test.cpp:35:5:35:22 | access to array | test.cpp:35:5:35:22 | access to array | test.cpp:35:5:35:22 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:35:5:35:26 | Store: ... = ... | write |
|
||||
| test.cpp:36:5:36:24 | access to array | test.cpp:36:5:36:24 | access to array | test.cpp:36:5:36:24 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:36:5:36:28 | Store: ... = ... | write |
|
||||
| test.cpp:43:9:43:19 | access to array | test.cpp:43:9:43:19 | access to array | test.cpp:43:9:43:19 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:43:9:43:23 | Store: ... = ... | write |
|
||||
| test.cpp:49:5:49:22 | access to array | test.cpp:49:5:49:22 | access to array | test.cpp:49:5:49:22 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:49:5:49:26 | Store: ... = ... | write |
|
||||
| test.cpp:50:5:50:24 | access to array | test.cpp:50:5:50:24 | access to array | test.cpp:50:5:50:24 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:50:5:50:28 | Store: ... = ... | write |
|
||||
| test.cpp:57:9:57:19 | access to array | test.cpp:57:9:57:19 | access to array | test.cpp:57:9:57:19 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:57:9:57:23 | Store: ... = ... | write |
|
||||
| test.cpp:61:9:61:19 | access to array | test.cpp:61:9:61:19 | access to array | test.cpp:61:9:61:19 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:61:9:61:23 | Store: ... = ... | write |
|
||||
| test.cpp:72:5:72:15 | access to array | test.cpp:72:5:72:15 | access to array | test.cpp:72:5:72:15 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:72:5:72:19 | Store: ... = ... | write |
|
||||
| test.cpp:77:27:77:44 | access to array | test.cpp:77:27:77:44 | access to array | test.cpp:66:32:66:32 | p | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write |
|
||||
| test.cpp:77:27:77:44 | access to array | test.cpp:77:27:77:44 | access to array | test.cpp:66:32:66:32 | p | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write |
|
||||
| test.cpp:77:27:77:44 | access to array | test.cpp:77:27:77:44 | access to array | test.cpp:67:5:67:6 | * ... | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write |
|
||||
| test.cpp:77:27:77:44 | access to array | test.cpp:77:27:77:44 | access to array | test.cpp:67:6:67:6 | p | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write |
|
||||
| test.cpp:35:5:35:22 | PointerAdd: access to array | test.cpp:35:10:35:12 | buf | test.cpp:35:5:35:22 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:35:5:35:26 | Store: ... = ... | write |
|
||||
| test.cpp:36:5:36:24 | PointerAdd: access to array | test.cpp:36:10:36:12 | buf | test.cpp:36:5:36:24 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:36:5:36:28 | Store: ... = ... | write |
|
||||
| test.cpp:43:9:43:19 | PointerAdd: access to array | test.cpp:43:14:43:16 | buf | test.cpp:43:9:43:19 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:43:9:43:23 | Store: ... = ... | write |
|
||||
| test.cpp:49:5:49:22 | PointerAdd: access to array | test.cpp:49:10:49:12 | buf | test.cpp:49:5:49:22 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:49:5:49:26 | Store: ... = ... | write |
|
||||
| test.cpp:50:5:50:24 | PointerAdd: access to array | test.cpp:50:10:50:12 | buf | test.cpp:50:5:50:24 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:50:5:50:28 | Store: ... = ... | write |
|
||||
| test.cpp:57:9:57:19 | PointerAdd: access to array | test.cpp:57:14:57:16 | buf | test.cpp:57:9:57:19 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:57:9:57:23 | Store: ... = ... | write |
|
||||
| test.cpp:61:9:61:19 | PointerAdd: access to array | test.cpp:61:14:61:16 | buf | test.cpp:61:9:61:19 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:61:9:61:23 | Store: ... = ... | write |
|
||||
| test.cpp:72:5:72:15 | PointerAdd: access to array | test.cpp:79:32:79:34 | buf | test.cpp:72:5:72:15 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:72:5:72:19 | Store: ... = ... | write |
|
||||
| test.cpp:77:27:77:44 | PointerAdd: access to array | test.cpp:77:32:77:34 | buf | test.cpp:66:32:66:32 | p | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write |
|
||||
|
||||
@@ -78,3 +78,45 @@ void testInterproc(BigArray *arr) {
|
||||
|
||||
addToPointerAndAssign(arr->buf);
|
||||
}
|
||||
|
||||
#define MAX_SIZE_BYTES 4096
|
||||
|
||||
void testCharIndex(BigArray *arr) {
|
||||
char *charBuf = (char*) arr->buf;
|
||||
|
||||
charBuf[MAX_SIZE_BYTES - 1] = 0; // GOOD
|
||||
charBuf[MAX_SIZE_BYTES] = 0; // BAD [FALSE NEGATIVE]
|
||||
}
|
||||
|
||||
void testEqRefinement() {
|
||||
int arr[MAX_SIZE];
|
||||
|
||||
for(int i = 0; i <= MAX_SIZE; i++) {
|
||||
if(i != MAX_SIZE) {
|
||||
arr[i] = 0; // GOOD
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
void testEqRefinement2() {
|
||||
int arr[MAX_SIZE];
|
||||
|
||||
int n = 0;
|
||||
|
||||
for(int i = 0; i <= MAX_SIZE; i++) {
|
||||
if(n == 0) {
|
||||
if(i == MAX_SIZE) {
|
||||
break;
|
||||
}
|
||||
n = arr[i]; // GOOD
|
||||
continue;
|
||||
}
|
||||
|
||||
if (i == MAX_SIZE || n != arr[i]) {
|
||||
if (i == MAX_SIZE) {
|
||||
break;
|
||||
}
|
||||
n = arr[i]; // GOOD
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -653,31 +653,24 @@ edges
|
||||
| test.cpp:304:15:304:26 | new[] | test.cpp:308:5:308:6 | xs |
|
||||
| test.cpp:308:5:308:6 | xs | test.cpp:308:5:308:11 | access to array |
|
||||
| test.cpp:308:5:308:11 | access to array | test.cpp:308:5:308:29 | Store: ... = ... |
|
||||
| test.cpp:313:16:313:29 | new[] | test.cpp:314:17:314:18 | xs |
|
||||
| test.cpp:314:17:314:18 | xs | test.cpp:314:17:314:25 | ... + ... |
|
||||
| test.cpp:314:17:314:18 | xs | test.cpp:314:17:314:25 | ... + ... |
|
||||
| test.cpp:314:17:314:18 | xs | test.cpp:318:13:318:20 | * ... |
|
||||
| test.cpp:314:17:314:25 | ... + ... | test.cpp:318:14:318:20 | current |
|
||||
| test.cpp:314:17:314:25 | ... + ... | test.cpp:318:14:318:20 | current |
|
||||
| test.cpp:314:17:314:25 | ... + ... | test.cpp:320:13:320:20 | * ... |
|
||||
| test.cpp:314:17:314:25 | ... + ... | test.cpp:320:13:320:20 | * ... |
|
||||
| test.cpp:314:17:314:25 | ... + ... | test.cpp:320:14:320:20 | current |
|
||||
| test.cpp:314:17:314:25 | ... + ... | test.cpp:320:14:320:20 | current |
|
||||
| test.cpp:318:13:318:20 | * ... | test.cpp:318:14:318:20 | current |
|
||||
| test.cpp:318:13:318:20 | * ... | test.cpp:320:13:320:20 | * ... |
|
||||
| test.cpp:318:13:318:20 | * ... | test.cpp:320:14:320:20 | current |
|
||||
| test.cpp:318:14:318:20 | current | test.cpp:314:17:314:25 | Store: ... + ... |
|
||||
| test.cpp:318:14:318:20 | current | test.cpp:318:13:318:20 | Load: * ... |
|
||||
| test.cpp:318:14:318:20 | current | test.cpp:320:10:320:21 | Store: -- ... |
|
||||
| test.cpp:318:14:318:20 | current | test.cpp:320:12:320:21 | Load: (...) |
|
||||
| test.cpp:320:13:320:20 | * ... | test.cpp:314:17:314:25 | Store: ... + ... |
|
||||
| test.cpp:320:13:320:20 | * ... | test.cpp:318:13:318:20 | Load: * ... |
|
||||
| test.cpp:320:13:320:20 | * ... | test.cpp:320:10:320:21 | Store: -- ... |
|
||||
| test.cpp:320:13:320:20 | * ... | test.cpp:320:12:320:21 | Load: (...) |
|
||||
| test.cpp:320:14:320:20 | current | test.cpp:314:17:314:25 | Store: ... + ... |
|
||||
| test.cpp:320:14:320:20 | current | test.cpp:318:13:318:20 | Load: * ... |
|
||||
| test.cpp:320:14:320:20 | current | test.cpp:320:10:320:21 | Store: -- ... |
|
||||
| test.cpp:320:14:320:20 | current | test.cpp:320:12:320:21 | Load: (...) |
|
||||
| test.cpp:313:14:313:27 | new[] | test.cpp:314:15:314:16 | xs |
|
||||
| test.cpp:325:14:325:27 | new[] | test.cpp:326:15:326:16 | xs |
|
||||
| test.cpp:326:15:326:16 | xs | test.cpp:326:15:326:23 | ... + ... |
|
||||
| test.cpp:326:15:326:16 | xs | test.cpp:326:15:326:23 | ... + ... |
|
||||
| test.cpp:326:15:326:16 | xs | test.cpp:338:8:338:15 | * ... |
|
||||
| test.cpp:326:15:326:16 | xs | test.cpp:341:8:341:17 | * ... |
|
||||
| test.cpp:326:15:326:23 | ... + ... | test.cpp:342:8:342:17 | * ... |
|
||||
| test.cpp:326:15:326:23 | ... + ... | test.cpp:342:8:342:17 | * ... |
|
||||
| test.cpp:338:8:338:15 | * ... | test.cpp:342:8:342:17 | * ... |
|
||||
| test.cpp:341:8:341:17 | * ... | test.cpp:342:8:342:17 | * ... |
|
||||
| test.cpp:342:8:342:17 | * ... | test.cpp:333:5:333:21 | Store: ... = ... |
|
||||
| test.cpp:342:8:342:17 | * ... | test.cpp:341:5:341:21 | Store: ... = ... |
|
||||
| test.cpp:347:14:347:27 | new[] | test.cpp:348:15:348:16 | xs |
|
||||
| test.cpp:348:15:348:16 | xs | test.cpp:350:16:350:19 | ... ++ |
|
||||
| test.cpp:348:15:348:16 | xs | test.cpp:350:16:350:19 | ... ++ |
|
||||
| test.cpp:350:16:350:19 | ... ++ | test.cpp:350:15:350:19 | Load: * ... |
|
||||
| test.cpp:350:16:350:19 | ... ++ | test.cpp:350:16:350:19 | ... ++ |
|
||||
| test.cpp:350:16:350:19 | ... ++ | test.cpp:350:16:350:19 | ... ++ |
|
||||
subpaths
|
||||
#select
|
||||
| test.cpp:6:14:6:15 | Load: * ... | test.cpp:4:15:4:20 | call to malloc | test.cpp:6:14:6:15 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:4:15:4:20 | call to malloc | call to malloc | test.cpp:5:19:5:22 | size | size |
|
||||
@@ -703,7 +696,6 @@ subpaths
|
||||
| test.cpp:264:13:264:14 | Load: * ... | test.cpp:260:13:260:24 | new[] | test.cpp:264:13:264:14 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:260:13:260:24 | new[] | new[] | test.cpp:261:19:261:21 | len | len |
|
||||
| test.cpp:274:5:274:10 | Store: ... = ... | test.cpp:270:13:270:24 | new[] | test.cpp:274:5:274:10 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:270:13:270:24 | new[] | new[] | test.cpp:271:19:271:21 | len | len |
|
||||
| test.cpp:308:5:308:29 | Store: ... = ... | test.cpp:304:15:304:26 | new[] | test.cpp:308:5:308:29 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:304:15:304:26 | new[] | new[] | test.cpp:308:8:308:10 | ... + ... | ... + ... |
|
||||
| test.cpp:314:17:314:25 | Store: ... + ... | test.cpp:313:16:313:29 | new[] | test.cpp:314:17:314:25 | Store: ... + ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:313:16:313:29 | new[] | new[] | test.cpp:314:22:314:25 | size | size |
|
||||
| test.cpp:318:13:318:20 | Load: * ... | test.cpp:313:16:313:29 | new[] | test.cpp:318:13:318:20 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:313:16:313:29 | new[] | new[] | test.cpp:314:22:314:25 | size | size |
|
||||
| test.cpp:320:10:320:21 | Store: -- ... | test.cpp:313:16:313:29 | new[] | test.cpp:320:10:320:21 | Store: -- ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:313:16:313:29 | new[] | new[] | test.cpp:314:22:314:25 | size | size |
|
||||
| test.cpp:320:12:320:21 | Load: (...) | test.cpp:313:16:313:29 | new[] | test.cpp:320:12:320:21 | Load: (...) | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:313:16:313:29 | new[] | new[] | test.cpp:314:22:314:25 | size | size |
|
||||
| test.cpp:333:5:333:21 | Store: ... = ... | test.cpp:325:14:325:27 | new[] | test.cpp:333:5:333:21 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:325:14:325:27 | new[] | new[] | test.cpp:326:20:326:23 | size | size |
|
||||
| test.cpp:341:5:341:21 | Store: ... = ... | test.cpp:325:14:325:27 | new[] | test.cpp:341:5:341:21 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:325:14:325:27 | new[] | new[] | test.cpp:326:20:326:23 | size | size |
|
||||
| test.cpp:350:15:350:19 | Load: * ... | test.cpp:347:14:347:27 | new[] | test.cpp:350:15:350:19 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:347:14:347:27 | new[] | new[] | test.cpp:348:20:348:23 | size | size |
|
||||
|
||||
@@ -310,15 +310,43 @@ void test21() {
|
||||
}
|
||||
|
||||
void test22(unsigned size, int val) {
|
||||
char *xs = new char[size];
|
||||
char *end = xs + size; // GOOD [FALSE POSITIVE]
|
||||
char **current = &end;
|
||||
do
|
||||
{
|
||||
if( *current - xs < 1 ) // GOOD [FALSE POSITIVE]
|
||||
return;
|
||||
*--(*current) = 0; // GOOD [FALSE POSITIVE]
|
||||
val >>= 8;
|
||||
}
|
||||
while( val > 0 );
|
||||
char *xs = new char[size];
|
||||
char *end = xs + size; // GOOD
|
||||
char **current = &end;
|
||||
do {
|
||||
if (*current - xs < 1) // GOOD
|
||||
return;
|
||||
*--(*current) = 0; // GOOD
|
||||
val >>= 8;
|
||||
} while (val > 0);
|
||||
}
|
||||
|
||||
void test23(unsigned size, int val) {
|
||||
char *xs = new char[size];
|
||||
char *end = xs + size;
|
||||
char **current = &end;
|
||||
|
||||
if (val < 1) {
|
||||
if(*current - xs < 1)
|
||||
return;
|
||||
|
||||
*--(*current) = 0; // GOOD [FALSE POSITIVE]
|
||||
return;
|
||||
}
|
||||
|
||||
if (val < 2) {
|
||||
if(*current - xs < 2)
|
||||
return;
|
||||
|
||||
*--(*current) = 0; // GOOD [FALSE POSITIVE]
|
||||
*--(*current) = 0; // GOOD
|
||||
}
|
||||
}
|
||||
|
||||
void test24(unsigned size) {
|
||||
char *xs = new char[size];
|
||||
char *end = xs + size;
|
||||
if (xs < end) {
|
||||
int val = *xs++; // GOOD [FALSE POSITIVE]
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
WARNING: Module TaintedWithPath has been deprecated and may be removed in future (tainted.ql:9,8-47)
|
||||
WARNING: Predicate tainted has been deprecated and may be removed in future (tainted.ql:20,49-74)
|
||||
failures
|
||||
testFailures
|
||||
|
||||
@@ -38,12 +38,10 @@ predicate irTaint(Element source, TaintedWithPath::PathNode predNode, string tag
|
||||
)
|
||||
}
|
||||
|
||||
class IRDefaultTaintTrackingTest extends InlineExpectationsTest {
|
||||
IRDefaultTaintTrackingTest() { this = "IRDefaultTaintTrackingTest" }
|
||||
module IRDefaultTaintTrackingTest implements TestSig {
|
||||
string getARelevantTag() { result = ["ir-path", "ir-sink"] }
|
||||
|
||||
override string getARelevantTag() { result = ["ir-path", "ir-sink"] }
|
||||
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
exists(Element elem, TaintedWithPath::PathNode node, int n |
|
||||
irTaint(_, node, tag) and
|
||||
elem = getElementFromPathNode(node) and
|
||||
@@ -67,12 +65,10 @@ class IRDefaultTaintTrackingTest extends InlineExpectationsTest {
|
||||
}
|
||||
}
|
||||
|
||||
class AstTaintTrackingTest extends InlineExpectationsTest {
|
||||
AstTaintTrackingTest() { this = "ASTTaintTrackingTest" }
|
||||
module AstTaintTrackingTest implements TestSig {
|
||||
string getARelevantTag() { result = "ast" }
|
||||
|
||||
override string getARelevantTag() { result = "ast" }
|
||||
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
exists(Expr source, Element tainted, int n |
|
||||
tag = "ast" and
|
||||
astTaint(source, tainted) and
|
||||
@@ -100,3 +96,5 @@ class AstTaintTrackingTest extends InlineExpectationsTest {
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
import MakeTest<MergeTests<IRDefaultTaintTrackingTest, AstTaintTrackingTest>>
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
WARNING: Module TaintedWithPath has been deprecated and may be removed in future (tainted.ql:10,8-47)
|
||||
WARNING: Predicate tainted has been deprecated and may be removed in future (tainted.ql:21,3-28)
|
||||
failures
|
||||
testFailures
|
||||
|
||||
@@ -29,12 +29,10 @@ predicate irTaint(Expr source, Element sink) {
|
||||
TaintedWithPath::taintedWithPath(source, sink, _, _)
|
||||
}
|
||||
|
||||
class IRDefaultTaintTrackingTest extends InlineExpectationsTest {
|
||||
IRDefaultTaintTrackingTest() { this = "IRDefaultTaintTrackingTest" }
|
||||
module IRDefaultTaintTrackingTest implements TestSig {
|
||||
string getARelevantTag() { result = "ir" }
|
||||
|
||||
override string getARelevantTag() { result = "ir" }
|
||||
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
exists(Expr source, Element tainted, int n |
|
||||
tag = "ir" and
|
||||
irTaint(source, tainted) and
|
||||
@@ -55,12 +53,10 @@ class IRDefaultTaintTrackingTest extends InlineExpectationsTest {
|
||||
}
|
||||
}
|
||||
|
||||
class AstTaintTrackingTest extends InlineExpectationsTest {
|
||||
AstTaintTrackingTest() { this = "ASTTaintTrackingTest" }
|
||||
module AstTaintTrackingTest implements TestSig {
|
||||
string getARelevantTag() { result = "ast" }
|
||||
|
||||
override string getARelevantTag() { result = "ast" }
|
||||
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
exists(Expr source, Element tainted, int n |
|
||||
tag = "ast" and
|
||||
astTaint(source, tainted) and
|
||||
@@ -80,3 +76,5 @@ class AstTaintTrackingTest extends InlineExpectationsTest {
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
import MakeTest<MergeTests<IRDefaultTaintTrackingTest, AstTaintTrackingTest>>
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
WARNING: Predicate taintedIncludingGlobalVars has been deprecated and may be removed in future (global.ql:8,3-47)
|
||||
WARNING: Predicate taintedIncludingGlobalVars has been deprecated and may be removed in future (global.ql:12,3-53)
|
||||
failures
|
||||
testFailures
|
||||
|
||||
@@ -12,12 +12,10 @@ predicate irTaint(Expr source, Element sink, string globalVar) {
|
||||
IRDefaultTaintTracking::taintedIncludingGlobalVars(source, sink, globalVar) and globalVar != ""
|
||||
}
|
||||
|
||||
class IRGlobalDefaultTaintTrackingTest extends InlineExpectationsTest {
|
||||
IRGlobalDefaultTaintTrackingTest() { this = "IRGlobalDefaultTaintTrackingTest" }
|
||||
module IRGlobalDefaultTaintTrackingTest implements TestSig {
|
||||
string getARelevantTag() { result = "ir" }
|
||||
|
||||
override string getARelevantTag() { result = "ir" }
|
||||
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
exists(Element tainted |
|
||||
tag = "ir" and
|
||||
irTaint(_, tainted, value) and
|
||||
@@ -27,12 +25,10 @@ class IRGlobalDefaultTaintTrackingTest extends InlineExpectationsTest {
|
||||
}
|
||||
}
|
||||
|
||||
class AstGlobalDefaultTaintTrackingTest extends InlineExpectationsTest {
|
||||
AstGlobalDefaultTaintTrackingTest() { this = "ASTGlobalDefaultTaintTrackingTest" }
|
||||
module AstGlobalDefaultTaintTrackingTest implements TestSig {
|
||||
string getARelevantTag() { result = "ast" }
|
||||
|
||||
override string getARelevantTag() { result = "ast" }
|
||||
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
exists(Element tainted |
|
||||
tag = "ast" and
|
||||
astTaint(_, tainted, value) and
|
||||
@@ -41,3 +37,5 @@ class AstGlobalDefaultTaintTrackingTest extends InlineExpectationsTest {
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
import MakeTest<MergeTests<IRGlobalDefaultTaintTrackingTest, AstGlobalDefaultTaintTrackingTest>>
|
||||
|
||||
@@ -0,0 +1,2 @@
|
||||
failures
|
||||
testFailures
|
||||
|
||||
@@ -5,12 +5,10 @@ module AstTest {
|
||||
private import semmle.code.cpp.dataflow.DataFlow::DataFlow
|
||||
private import semmle.code.cpp.dataflow.internal.DataFlowPrivate
|
||||
|
||||
class AstParameterDefTest extends InlineExpectationsTest {
|
||||
AstParameterDefTest() { this = "AstParameterDefTest" }
|
||||
module AstParameterDefTest implements TestSig {
|
||||
string getARelevantTag() { result = "ast-def" }
|
||||
|
||||
override string getARelevantTag() { result = "ast-def" }
|
||||
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
exists(Function f, Parameter p, RefParameterFinalValueNode n |
|
||||
p.isNamed() and
|
||||
n.getParameter() = p and
|
||||
@@ -33,12 +31,10 @@ module IRTest {
|
||||
(if k = 0 then result = "" else result = "*" + stars(k - 1))
|
||||
}
|
||||
|
||||
class IRParameterDefTest extends InlineExpectationsTest {
|
||||
IRParameterDefTest() { this = "IRParameterDefTest" }
|
||||
module IRParameterDefTest implements TestSig {
|
||||
string getARelevantTag() { result = "ir-def" }
|
||||
|
||||
override string getARelevantTag() { result = "ir-def" }
|
||||
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
exists(Function f, Parameter p, FinalParameterNode n |
|
||||
p.isNamed() and
|
||||
n.getParameter() = p and
|
||||
@@ -51,3 +47,5 @@ module IRTest {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
import MakeTest<MergeTests<AstTest::AstParameterDefTest, IRTest::IRParameterDefTest>>
|
||||
|
||||
@@ -0,0 +1,2 @@
|
||||
failures
|
||||
testFailures
|
||||
|
||||
@@ -5,12 +5,10 @@ module AstTest {
|
||||
private import semmle.code.cpp.dataflow.DataFlow::DataFlow
|
||||
private import semmle.code.cpp.dataflow.internal.DataFlowPrivate
|
||||
|
||||
class AstMultipleOutNodesTest extends InlineExpectationsTest {
|
||||
AstMultipleOutNodesTest() { this = "AstMultipleOutNodesTest" }
|
||||
module AstMultipleOutNodesTest implements TestSig {
|
||||
string getARelevantTag() { result = "ast-count(" + any(ReturnKind k).toString() + ")" }
|
||||
|
||||
override string getARelevantTag() { result = "ast-count(" + any(ReturnKind k).toString() + ")" }
|
||||
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
exists(DataFlowCall call, int n, ReturnKind kind |
|
||||
call.getLocation() = location and
|
||||
n = strictcount(getAnOutNode(call, kind)) and
|
||||
@@ -27,12 +25,10 @@ module IRTest {
|
||||
private import semmle.code.cpp.ir.dataflow.DataFlow
|
||||
private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
|
||||
|
||||
class IRMultipleOutNodesTest extends InlineExpectationsTest {
|
||||
IRMultipleOutNodesTest() { this = "IRMultipleOutNodesTest" }
|
||||
module IRMultipleOutNodesTest implements TestSig {
|
||||
string getARelevantTag() { result = "ir-count(" + any(ReturnKind k).toString() + ")" }
|
||||
|
||||
override string getARelevantTag() { result = "ir-count(" + any(ReturnKind k).toString() + ")" }
|
||||
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
exists(DataFlowCall call, int n, ReturnKind kind |
|
||||
call.getLocation() = location and
|
||||
n = strictcount(getAnOutNode(call, kind)) and
|
||||
@@ -44,3 +40,5 @@ module IRTest {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
import MakeTest<MergeTests<AstTest::AstMultipleOutNodesTest, IRTest::IRMultipleOutNodesTest>>
|
||||
|
||||
@@ -0,0 +1,2 @@
|
||||
failures
|
||||
testFailures
|
||||
|
||||
@@ -16,10 +16,8 @@ module AstTest {
|
||||
}
|
||||
|
||||
/** Common data flow configuration to be used by tests. */
|
||||
class AstTestAllocationConfig extends DataFlow::Configuration {
|
||||
AstTestAllocationConfig() { this = "ASTTestAllocationConfig" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) {
|
||||
module AstTestAllocationConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
source.asExpr().(FunctionCall).getTarget().getName() = "source"
|
||||
or
|
||||
source.asParameter().getName().matches("source%")
|
||||
@@ -32,18 +30,20 @@ module AstTest {
|
||||
exists(source.asUninitialized())
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) {
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(FunctionCall call |
|
||||
call.getTarget().getName() = ["sink", "indirect_sink"] and
|
||||
sink.asExpr() = call.getAnArgument()
|
||||
)
|
||||
}
|
||||
|
||||
override predicate isBarrier(DataFlow::Node barrier) {
|
||||
predicate isBarrier(DataFlow::Node barrier) {
|
||||
barrier.asExpr().(VariableAccess).getTarget().hasName("barrier") or
|
||||
barrier = DataFlow::BarrierGuard<testBarrierGuard/3>::getABarrierNode()
|
||||
}
|
||||
}
|
||||
|
||||
module AstFlow = DataFlow::Global<AstTestAllocationConfig>;
|
||||
}
|
||||
|
||||
module IRTest {
|
||||
@@ -67,10 +67,8 @@ module IRTest {
|
||||
}
|
||||
|
||||
/** Common data flow configuration to be used by tests. */
|
||||
class IRTestAllocationConfig extends DataFlow::Configuration {
|
||||
IRTestAllocationConfig() { this = "IRTestAllocationConfig" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) {
|
||||
module IRTestAllocationConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
source.asExpr().(FunctionCall).getTarget().getName() = "source"
|
||||
or
|
||||
source.asIndirectExpr(1).(FunctionCall).getTarget().getName() = "indirect_source"
|
||||
@@ -82,7 +80,7 @@ module IRTest {
|
||||
exists(source.asUninitialized())
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) {
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(FunctionCall call, Expr e | e = call.getAnArgument() |
|
||||
call.getTarget().getName() = "sink" and
|
||||
sink.asExpr() = e
|
||||
@@ -92,7 +90,7 @@ module IRTest {
|
||||
)
|
||||
}
|
||||
|
||||
override predicate isBarrier(DataFlow::Node barrier) {
|
||||
predicate isBarrier(DataFlow::Node barrier) {
|
||||
exists(Expr barrierExpr | barrierExpr in [barrier.asExpr(), barrier.asIndirectExpr()] |
|
||||
barrierExpr.(VariableAccess).getTarget().hasName("barrier")
|
||||
)
|
||||
@@ -102,4 +100,8 @@ module IRTest {
|
||||
barrier = DataFlow::BarrierGuard<testBarrierGuard/3>::getAnIndirectBarrierNode()
|
||||
}
|
||||
}
|
||||
|
||||
module IRFlow = DataFlow::Global<IRTestAllocationConfig>;
|
||||
}
|
||||
|
||||
import MakeTest<MergeTests<AstFlowTest<AstTest::AstFlow>, IRFlowTest<IRTest::IRFlow>>>
|
||||
|
||||
@@ -1,10 +1,8 @@
|
||||
private import semmle.code.cpp.dataflow.DataFlow
|
||||
private import DataFlow
|
||||
|
||||
class AstConf extends Configuration {
|
||||
AstConf() { this = "ASTFieldFlowConf" }
|
||||
|
||||
override predicate isSource(Node src) {
|
||||
module AstConfig implements ConfigSig {
|
||||
predicate isSource(Node src) {
|
||||
src.asExpr() instanceof NewExpr
|
||||
or
|
||||
src.asExpr().(Call).getTarget().hasName("user_input")
|
||||
@@ -15,14 +13,14 @@ class AstConf extends Configuration {
|
||||
)
|
||||
}
|
||||
|
||||
override predicate isSink(Node sink) {
|
||||
predicate isSink(Node sink) {
|
||||
exists(Call c |
|
||||
c.getTarget().hasName("sink") and
|
||||
c.getAnArgument() = sink.asExpr()
|
||||
)
|
||||
}
|
||||
|
||||
override predicate isAdditionalFlowStep(Node a, Node b) {
|
||||
predicate isAdditionalFlowStep(Node a, Node b) {
|
||||
b.asPartialDefinition() =
|
||||
any(Call c | c.getTarget().hasName("insert") and c.getAnArgument() = a.asExpr())
|
||||
.getQualifier()
|
||||
@@ -31,5 +29,4 @@ class AstConf extends Configuration {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for AstConf */
|
||||
deprecated class ASTConf = AstConf;
|
||||
module AstFlow = Global<AstConfig>;
|
||||
|
||||
@@ -1,10 +1,8 @@
|
||||
private import semmle.code.cpp.ir.dataflow.DataFlow
|
||||
private import DataFlow
|
||||
|
||||
class IRConf extends Configuration {
|
||||
IRConf() { this = "IRFieldFlowConf" }
|
||||
|
||||
override predicate isSource(Node src) {
|
||||
module IRConfig implements ConfigSig {
|
||||
predicate isSource(Node src) {
|
||||
src.asExpr() instanceof NewExpr
|
||||
or
|
||||
src.asExpr().(Call).getTarget().hasName("user_input")
|
||||
@@ -15,14 +13,14 @@ class IRConf extends Configuration {
|
||||
)
|
||||
}
|
||||
|
||||
override predicate isSink(Node sink) {
|
||||
predicate isSink(Node sink) {
|
||||
exists(Call c |
|
||||
c.getTarget().hasName("sink") and
|
||||
c.getAnArgument() = [sink.asExpr(), sink.asIndirectExpr(), sink.asConvertedExpr()]
|
||||
)
|
||||
}
|
||||
|
||||
override predicate isAdditionalFlowStep(Node a, Node b) {
|
||||
predicate isAdditionalFlowStep(Node a, Node b) {
|
||||
b.asPartialDefinition() =
|
||||
any(Call c | c.getTarget().hasName("insert") and c.getAnArgument() = a.asExpr())
|
||||
.getQualifier()
|
||||
@@ -30,3 +28,5 @@ class IRConf extends Configuration {
|
||||
b.asExpr().(AddressOfExpr).getOperand() = a.asExpr()
|
||||
}
|
||||
}
|
||||
|
||||
module IRFlow = Global<IRConfig>;
|
||||
|
||||
@@ -0,0 +1,2 @@
|
||||
failures
|
||||
testFailures
|
||||
|
||||
@@ -1,9 +1,11 @@
|
||||
import TestUtilities.dataflow.FlowTestCommon
|
||||
|
||||
module AstTest {
|
||||
private import ASTConfiguration
|
||||
import ASTConfiguration
|
||||
}
|
||||
|
||||
module IRTest {
|
||||
private import IRConfiguration
|
||||
import IRConfiguration
|
||||
}
|
||||
|
||||
import MakeTest<MergeTests<AstFlowTest<AstTest::AstFlow>, IRFlowTest<IRTest::IRFlow>>>
|
||||
|
||||
@@ -4,8 +4,8 @@
|
||||
|
||||
import semmle.code.cpp.ir.dataflow.DataFlow
|
||||
import IRConfiguration
|
||||
import DataFlow::PathGraph
|
||||
import IRFlow::PathGraph
|
||||
|
||||
from DataFlow::PathNode src, DataFlow::PathNode sink, IRConf conf
|
||||
where conf.hasFlowPath(src, sink)
|
||||
from IRFlow::PathNode src, IRFlow::PathNode sink
|
||||
where IRFlow::flowPath(src, sink)
|
||||
select sink, src, sink, sink + " flows from $@", src, src.toString()
|
||||
|
||||
@@ -4,8 +4,8 @@
|
||||
|
||||
import semmle.code.cpp.dataflow.DataFlow
|
||||
import ASTConfiguration
|
||||
import DataFlow::PathGraph
|
||||
import AstFlow::PathGraph
|
||||
|
||||
from DataFlow::PathNode src, DataFlow::PathNode sink, AstConf conf
|
||||
where conf.hasFlowPath(src, sink)
|
||||
from AstFlow::PathNode src, AstFlow::PathNode sink
|
||||
where AstFlow::flowPath(src, sink)
|
||||
select sink, src, sink, sink + " flows from $@", src, src.toString()
|
||||
|
||||
@@ -0,0 +1,2 @@
|
||||
failures
|
||||
testFailures
|
||||
|
||||
@@ -3,37 +3,39 @@ import TestUtilities.dataflow.FlowTestCommon
|
||||
module AstTest {
|
||||
private import semmle.code.cpp.dataflow.TaintTracking
|
||||
|
||||
class AstSmartPointerTaintConfig extends TaintTracking::Configuration {
|
||||
AstSmartPointerTaintConfig() { this = "ASTSmartPointerTaintConfig" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) {
|
||||
module AstSmartPointerTaintConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
source.asExpr().(FunctionCall).getTarget().getName() = "source"
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) {
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(FunctionCall call |
|
||||
call.getTarget().getName() = "sink" and
|
||||
sink.asExpr() = call.getAnArgument()
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
module AstFlow = TaintTracking::Global<AstSmartPointerTaintConfig>;
|
||||
}
|
||||
|
||||
module IRTest {
|
||||
private import semmle.code.cpp.ir.dataflow.TaintTracking
|
||||
|
||||
class IRSmartPointerTaintConfig extends TaintTracking::Configuration {
|
||||
IRSmartPointerTaintConfig() { this = "IRSmartPointerTaintConfig" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) {
|
||||
module IRSmartPointerTaintConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
source.asExpr().(FunctionCall).getTarget().getName() = "source"
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) {
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(FunctionCall call |
|
||||
call.getTarget().getName() = "sink" and
|
||||
sink.asExpr() = call.getAnArgument()
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
module IRFlow = TaintTracking::Global<IRSmartPointerTaintConfig>;
|
||||
}
|
||||
|
||||
import MakeTest<MergeTests<AstFlowTest<AstTest::AstFlow>, IRFlowTest<IRTest::IRFlow>>>
|
||||
|
||||
@@ -0,0 +1,2 @@
|
||||
failures
|
||||
testFailures
|
||||
|
||||
@@ -4,12 +4,10 @@ import cpp
|
||||
import TestUtilities.InlineExpectationsTest
|
||||
import semmle.code.cpp.security.FlowSources
|
||||
|
||||
class LocalFlowSourceTest extends InlineExpectationsTest {
|
||||
LocalFlowSourceTest() { this = "LocalFlowSourceTest" }
|
||||
module LocalFlowSourceTest implements TestSig {
|
||||
string getARelevantTag() { result = "local_source" }
|
||||
|
||||
override string getARelevantTag() { result = "local_source" }
|
||||
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
tag = "local_source" and
|
||||
exists(LocalFlowSource node, int n |
|
||||
n =
|
||||
@@ -30,3 +28,5 @@ class LocalFlowSourceTest extends InlineExpectationsTest {
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
import MakeTest<LocalFlowSourceTest>
|
||||
|
||||
@@ -0,0 +1,2 @@
|
||||
failures
|
||||
testFailures
|
||||
|
||||
@@ -4,12 +4,10 @@ import cpp
|
||||
import TestUtilities.InlineExpectationsTest
|
||||
import semmle.code.cpp.security.FlowSources
|
||||
|
||||
class RemoteFlowSourceTest extends InlineExpectationsTest {
|
||||
RemoteFlowSourceTest() { this = "RemoteFlowSourceTest" }
|
||||
module RemoteFlowSourceTest implements TestSig {
|
||||
string getARelevantTag() { result = "remote_source" }
|
||||
|
||||
override string getARelevantTag() { result = "remote_source" }
|
||||
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
tag = "remote_source" and
|
||||
exists(RemoteFlowSource node, int n |
|
||||
n =
|
||||
@@ -31,12 +29,10 @@ class RemoteFlowSourceTest extends InlineExpectationsTest {
|
||||
}
|
||||
}
|
||||
|
||||
class RemoteFlowSinkTest extends InlineExpectationsTest {
|
||||
RemoteFlowSinkTest() { this = "RemoteFlowSinkTest" }
|
||||
module RemoteFlowSinkTest implements TestSig {
|
||||
string getARelevantTag() { result = "remote_sink" }
|
||||
|
||||
override string getARelevantTag() { result = "remote_sink" }
|
||||
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
tag = "remote_sink" and
|
||||
exists(RemoteFlowSink node, int n |
|
||||
n =
|
||||
@@ -57,3 +53,5 @@ class RemoteFlowSinkTest extends InlineExpectationsTest {
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
import MakeTest<MergeTests<RemoteFlowSourceTest, RemoteFlowSinkTest>>
|
||||
|
||||
@@ -8090,20 +8090,20 @@
|
||||
| vector.cpp:520:25:520:31 | call to vector | vector.cpp:523:8:523:9 | vs | |
|
||||
| vector.cpp:520:25:520:31 | call to vector | vector.cpp:524:8:524:9 | vs | |
|
||||
| vector.cpp:520:25:520:31 | call to vector | vector.cpp:526:8:526:9 | vs | |
|
||||
| vector.cpp:520:25:520:31 | call to vector | vector.cpp:539:8:539:9 | vs | |
|
||||
| vector.cpp:520:25:520:31 | call to vector | vector.cpp:540:2:540:2 | vs | |
|
||||
| vector.cpp:520:25:520:31 | call to vector | vector.cpp:532:8:532:9 | vs | |
|
||||
| vector.cpp:520:25:520:31 | call to vector | vector.cpp:533:2:533:2 | vs | |
|
||||
| vector.cpp:520:30:520:30 | 0 | vector.cpp:520:25:520:31 | call to vector | TAINT |
|
||||
| vector.cpp:523:8:523:9 | ref arg vs | vector.cpp:524:8:524:9 | vs | |
|
||||
| vector.cpp:523:8:523:9 | ref arg vs | vector.cpp:526:8:526:9 | vs | |
|
||||
| vector.cpp:523:8:523:9 | ref arg vs | vector.cpp:539:8:539:9 | vs | |
|
||||
| vector.cpp:523:8:523:9 | ref arg vs | vector.cpp:540:2:540:2 | vs | |
|
||||
| vector.cpp:523:8:523:9 | ref arg vs | vector.cpp:532:8:532:9 | vs | |
|
||||
| vector.cpp:523:8:523:9 | ref arg vs | vector.cpp:533:2:533:2 | vs | |
|
||||
| vector.cpp:523:8:523:9 | vs | vector.cpp:523:10:523:10 | call to operator[] | TAINT |
|
||||
| vector.cpp:524:8:524:9 | ref arg vs | vector.cpp:526:8:526:9 | vs | |
|
||||
| vector.cpp:524:8:524:9 | ref arg vs | vector.cpp:539:8:539:9 | vs | |
|
||||
| vector.cpp:524:8:524:9 | ref arg vs | vector.cpp:540:2:540:2 | vs | |
|
||||
| vector.cpp:524:8:524:9 | ref arg vs | vector.cpp:532:8:532:9 | vs | |
|
||||
| vector.cpp:524:8:524:9 | ref arg vs | vector.cpp:533:2:533:2 | vs | |
|
||||
| vector.cpp:524:8:524:9 | vs | vector.cpp:524:10:524:10 | call to operator[] | TAINT |
|
||||
| vector.cpp:526:8:526:9 | ref arg vs | vector.cpp:539:8:539:9 | vs | |
|
||||
| vector.cpp:526:8:526:9 | ref arg vs | vector.cpp:540:2:540:2 | vs | |
|
||||
| vector.cpp:526:8:526:9 | ref arg vs | vector.cpp:532:8:532:9 | vs | |
|
||||
| vector.cpp:526:8:526:9 | ref arg vs | vector.cpp:533:2:533:2 | vs | |
|
||||
| vector.cpp:526:8:526:9 | vs | vector.cpp:526:11:526:15 | call to begin | TAINT |
|
||||
| vector.cpp:526:11:526:15 | call to begin | vector.cpp:526:3:526:17 | ... = ... | |
|
||||
| vector.cpp:526:11:526:15 | call to begin | vector.cpp:527:9:527:10 | it | |
|
||||
@@ -8128,5 +8128,5 @@
|
||||
| vector.cpp:530:3:530:4 | ref arg it | vector.cpp:531:9:531:10 | it | |
|
||||
| vector.cpp:530:9:530:14 | call to source | vector.cpp:530:3:530:4 | ref arg it | TAINT |
|
||||
| vector.cpp:531:9:531:10 | it | vector.cpp:531:8:531:8 | call to operator* | TAINT |
|
||||
| vector.cpp:539:8:539:9 | ref arg vs | vector.cpp:540:2:540:2 | vs | |
|
||||
| vector.cpp:539:8:539:9 | vs | vector.cpp:539:10:539:10 | call to operator[] | TAINT |
|
||||
| vector.cpp:532:8:532:9 | ref arg vs | vector.cpp:533:2:533:2 | vs | |
|
||||
| vector.cpp:532:8:532:9 | vs | vector.cpp:532:10:532:10 | call to operator[] | TAINT |
|
||||
|
||||
@@ -0,0 +1,2 @@
|
||||
failures
|
||||
testFailures
|
||||
|
||||
@@ -43,10 +43,8 @@ module AstTest {
|
||||
private import semmle.code.cpp.models.interfaces.Taint
|
||||
|
||||
/** Common data flow configuration to be used by tests. */
|
||||
class AstTestAllocationConfig extends TaintTracking::Configuration {
|
||||
AstTestAllocationConfig() { this = "ASTTestAllocationConfig" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) {
|
||||
module AstTestAllocationConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
source.asExpr().(FunctionCall).getTarget().getName() = "source"
|
||||
or
|
||||
source.asParameter().getName().matches("source%")
|
||||
@@ -60,17 +58,19 @@ module AstTest {
|
||||
)
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) {
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(FunctionCall call |
|
||||
call.getTarget().getName() = "sink" and
|
||||
sink.asExpr() = call.getAnArgument()
|
||||
)
|
||||
}
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node barrier) {
|
||||
predicate isBarrier(DataFlow::Node barrier) {
|
||||
barrier.asExpr().(VariableAccess).getTarget().hasName("sanitizer")
|
||||
}
|
||||
}
|
||||
|
||||
module AstFlow = TaintTracking::Global<AstTestAllocationConfig>;
|
||||
}
|
||||
|
||||
module IRTest {
|
||||
@@ -78,10 +78,8 @@ module IRTest {
|
||||
private import semmle.code.cpp.ir.dataflow.TaintTracking
|
||||
|
||||
/** Common data flow configuration to be used by tests. */
|
||||
class TestAllocationConfig extends TaintTracking::Configuration {
|
||||
TestAllocationConfig() { this = "TestAllocationConfig" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) {
|
||||
module TestAllocationConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
source.asExpr().(FunctionCall).getTarget().getName() = "source"
|
||||
or
|
||||
source.asIndirectExpr().(FunctionCall).getTarget().getName() = "source"
|
||||
@@ -94,21 +92,25 @@ module IRTest {
|
||||
)
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) {
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(FunctionCall call |
|
||||
call.getTarget().getName() = "sink" and
|
||||
[sink.asExpr(), sink.asIndirectExpr()] = call.getAnArgument()
|
||||
)
|
||||
}
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node barrier) {
|
||||
predicate isBarrier(DataFlow::Node barrier) {
|
||||
barrier.asExpr().(VariableAccess).getTarget().hasName("sanitizer")
|
||||
}
|
||||
|
||||
override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
|
||||
predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
|
||||
// allow arbitrary reads at sinks
|
||||
this.isSink(node) and
|
||||
isSink(node) and
|
||||
c.(DataFlow::FieldContent).getField().getDeclaringType() = node.getType().getUnspecifiedType()
|
||||
}
|
||||
}
|
||||
|
||||
module IRFlow = TaintTracking::Global<TestAllocationConfig>;
|
||||
}
|
||||
|
||||
import MakeTest<MergeTests<AstFlowTest<AstTest::AstFlow>, IRFlowTest<IRTest::IRFlow>>>
|
||||
|
||||
@@ -523,19 +523,12 @@ void test_vector_iterator() {
|
||||
sink(vs[1]);
|
||||
sink(vs[source()]); // $ MISSING: ast,ir
|
||||
|
||||
it = vs.begin(); // (1)
|
||||
it = vs.begin();
|
||||
sink(*it);
|
||||
it += 1;
|
||||
sink(*it);
|
||||
it += source(); // (2)
|
||||
sink(*it); // $ ast,ir // (3)
|
||||
// This FP happens because of the following flows:
|
||||
// 1. There's a write to the iterator at (2)
|
||||
// 2. This write propagates to `it` on the next line at (3)
|
||||
// 3. There's a taint step from `it` to `*it` at (3)
|
||||
// 4. The `*it` is seen as a use of `vs` because of (1).
|
||||
// 5. There's use-use flow from `*it` at (3) (which is a use of `vs`) to `vs` at (4)
|
||||
// 6. There's a taint step from vs to vs[1]
|
||||
sink(vs[1]); // $ SPURIOUS: ir // (4)
|
||||
it += source();
|
||||
sink(*it); // $ ast,ir
|
||||
sink(vs[1]); // clean
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,2 @@
|
||||
failures
|
||||
testFailures
|
||||
|
||||
@@ -12,12 +12,10 @@ import TestUtilities.InlineExpectationsTest
|
||||
module ModulusAnalysisInstantiated =
|
||||
ModulusAnalysis<FloatDelta, ConstantBounds, RangeUtil<FloatDelta, CppLangImplRelative>>;
|
||||
|
||||
class ModulusAnalysisTest extends InlineExpectationsTest {
|
||||
ModulusAnalysisTest() { this = "ModulusAnalysisTest" }
|
||||
module ModulusAnalysisTest implements TestSig {
|
||||
string getARelevantTag() { result = "mod" }
|
||||
|
||||
override string getARelevantTag() { result = "mod" }
|
||||
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
exists(SemExpr e, IR::CallInstruction call |
|
||||
getSemanticExpr(call.getArgument(0)) = e and
|
||||
call.getStaticCallTarget().hasName("mod") and
|
||||
@@ -29,6 +27,8 @@ class ModulusAnalysisTest extends InlineExpectationsTest {
|
||||
}
|
||||
}
|
||||
|
||||
import MakeTest<ModulusAnalysisTest>
|
||||
|
||||
private string getAModString(SemExpr e) {
|
||||
exists(SemBound b, int delta, int mod |
|
||||
ModulusAnalysisInstantiated::semExprModulus(e, b, delta, mod) and
|
||||
|
||||
@@ -0,0 +1,2 @@
|
||||
failures
|
||||
testFailures
|
||||
|
||||
@@ -21,12 +21,10 @@ module Raw {
|
||||
result = getOperandMemoryLocation(instr.getAnOperand())
|
||||
}
|
||||
|
||||
class RawPointsToTest extends InlineExpectationsTest {
|
||||
RawPointsToTest() { this = "RawPointsToTest" }
|
||||
module RawPointsToTest implements TestSig {
|
||||
string getARelevantTag() { result = "raw" }
|
||||
|
||||
override string getARelevantTag() { result = "raw" }
|
||||
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
exists(Instruction instr, MemoryLocation memLocation |
|
||||
memLocation = getAMemoryAccess(instr) and
|
||||
tag = "raw" and
|
||||
@@ -49,12 +47,10 @@ module UnaliasedSsa {
|
||||
result = getOperandMemoryLocation(instr.getAnOperand())
|
||||
}
|
||||
|
||||
class UnaliasedSsaPointsToTest extends InlineExpectationsTest {
|
||||
UnaliasedSsaPointsToTest() { this = "UnaliasedSSAPointsToTest" }
|
||||
module UnaliasedSsaPointsToTest implements TestSig {
|
||||
string getARelevantTag() { result = "ussa" }
|
||||
|
||||
override string getARelevantTag() { result = "ussa" }
|
||||
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
exists(Instruction instr, MemoryLocation memLocation |
|
||||
memLocation = getAMemoryAccess(instr) and
|
||||
not memLocation.getVirtualVariable() instanceof AliasedVirtualVariable and
|
||||
@@ -69,3 +65,5 @@ module UnaliasedSsa {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
import MakeTest<MergeTests<Raw::RawPointsToTest, UnaliasedSsa::UnaliasedSsaPointsToTest>>
|
||||
|
||||
@@ -0,0 +1,2 @@
|
||||
failures
|
||||
testFailures
|
||||
|
||||
@@ -2,12 +2,10 @@ import cpp
|
||||
import semmle.code.cpp.rangeanalysis.new.SimpleRangeAnalysis
|
||||
import TestUtilities.InlineExpectationsTest
|
||||
|
||||
class RangeAnalysisTest extends InlineExpectationsTest {
|
||||
RangeAnalysisTest() { this = "RangeAnalysisTest" }
|
||||
module RangeAnalysisTest implements TestSig {
|
||||
string getARelevantTag() { result = "overflow" }
|
||||
|
||||
override string getARelevantTag() { result = "overflow" }
|
||||
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
exists(Expr e |
|
||||
tag = "overflow" and
|
||||
element = e.toString() and
|
||||
@@ -21,3 +19,5 @@ class RangeAnalysisTest extends InlineExpectationsTest {
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
import MakeTest<RangeAnalysisTest>
|
||||
|
||||
@@ -0,0 +1,2 @@
|
||||
failures
|
||||
testFailures
|
||||
|
||||
@@ -5,12 +5,10 @@ import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticExprSpecific
|
||||
import semmle.code.cpp.ir.IR as IR
|
||||
import TestUtilities.InlineExpectationsTest
|
||||
|
||||
class RangeAnalysisTest extends InlineExpectationsTest {
|
||||
RangeAnalysisTest() { this = "RangeAnalysisTest" }
|
||||
module RangeAnalysisTest implements TestSig {
|
||||
string getARelevantTag() { result = "range" }
|
||||
|
||||
override string getARelevantTag() { result = "range" }
|
||||
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
exists(SemExpr e, IR::CallInstruction call |
|
||||
getSemanticExpr(call.getArgument(0)) = e and
|
||||
call.getStaticCallTarget().hasName("range") and
|
||||
@@ -22,6 +20,8 @@ class RangeAnalysisTest extends InlineExpectationsTest {
|
||||
}
|
||||
}
|
||||
|
||||
import MakeTest<RangeAnalysisTest>
|
||||
|
||||
private string getDirectionString(boolean d) {
|
||||
result = "<=" and d = true
|
||||
or
|
||||
@@ -40,14 +40,7 @@ bindingset[delta]
|
||||
private string getBoundString(SemBound b, float delta) {
|
||||
b instanceof SemZeroBound and result = delta.toString()
|
||||
or
|
||||
result =
|
||||
strictconcat(b.(SemSsaBound)
|
||||
.getAVariable()
|
||||
.(SemanticExprConfig::SsaVariable)
|
||||
.asInstruction()
|
||||
.getAst()
|
||||
.toString(), ":"
|
||||
) + getOffsetString(delta)
|
||||
result = strictconcat(b.(SemSsaBound).getAVariable().toString(), " | ") + getOffsetString(delta)
|
||||
}
|
||||
|
||||
private string getARangeString(SemExpr e) {
|
||||
|
||||
@@ -8,7 +8,7 @@ int test1(struct List* p) {
|
||||
int count = 0;
|
||||
for (; p; p = p->next) {
|
||||
count = count+1;
|
||||
range(count); // $ range===count:p+1
|
||||
range(count); // $ range="==Phi: p | Store: count+1"
|
||||
}
|
||||
range(count);
|
||||
return count;
|
||||
@@ -18,7 +18,7 @@ int test2(struct List* p) {
|
||||
int count = 0;
|
||||
for (; p; p = p->next) {
|
||||
count = (count+1) % 10;
|
||||
range(count); // $ range=<=9 range=>=-9 range=<=count:p+1
|
||||
range(count); // $ range=<=9 range=>=-9 range="<=Phi: p | Store: count+1"
|
||||
}
|
||||
range(count); // $ range=>=-9 range=<=9
|
||||
return count;
|
||||
@@ -29,7 +29,7 @@ int test3(struct List* p) {
|
||||
for (; p; p = p->next) {
|
||||
range(count++); // $ range=>=-9 range=<=9
|
||||
count = count % 10;
|
||||
range(count); // $ range=<=9 range=>=-9 range="<=... +++0" range=<=count:p+1
|
||||
range(count); // $ range=<=9 range=>=-9 range="<=Store: ... +++0" range="<=Phi: p | Store: count+1"
|
||||
}
|
||||
range(count); // $ range=>=-9 range=<=9
|
||||
return count;
|
||||
@@ -42,11 +42,11 @@ int test4() {
|
||||
range(i); // $ range=<=1 range=>=0
|
||||
range(total);
|
||||
total += i;
|
||||
range(total); // $ range=<=i+1 range=<=i+1 MISSING: range=>=0 range=>=i+0
|
||||
range(total); // $ range="<=Phi: i+1" MISSING: range=>=0 range=>=i+0
|
||||
}
|
||||
range(total); // $ MISSING: range=>=0
|
||||
range(i); // $ range===2
|
||||
range(total + i); // $ range=<=i+2 MISSING: range===i+2 range=>=2 range=>=i+0
|
||||
range(total + i); // $ range="<=Phi: i+2" MISSING: range===i+2 range=>=2 range=>=i+0
|
||||
return total + i;
|
||||
}
|
||||
|
||||
@@ -57,11 +57,11 @@ int test5() {
|
||||
range(i); // $ range=<=1 range=>=0
|
||||
range(total); // $ MISSING: range=>=0
|
||||
total += i;
|
||||
range(total); // $ range=<=i+1 MISSING: range=>=0 range=>=i+0
|
||||
range(total); // $ range="<=Phi: i+1" MISSING: range=>=0 range=>=i+0
|
||||
}
|
||||
range(total); // $ MISSING: range=>=0
|
||||
range(i); // $ range===2
|
||||
range(total + i); // $ range=<=i+2 MISSING: range===i+2 range=>=2 range=>=i+0
|
||||
range(total + i); // $ range="<=Phi: i+2" MISSING: range===i+2 range=>=2 range=>=i+0
|
||||
return total + i;
|
||||
}
|
||||
|
||||
@@ -72,7 +72,7 @@ int test6() {
|
||||
range(i); // $ range=<=1 range=>=0
|
||||
range(total); // $ MISSING: range=>=0
|
||||
total += i;
|
||||
range(total); // $ range=<=i+1 MISSING: range=>=0 range=>=i+0
|
||||
range(total); // $ range="<=Phi: i+1" MISSING: range=>=0 range=>=i+0
|
||||
}
|
||||
return total + i;
|
||||
}
|
||||
@@ -93,12 +93,12 @@ int test8(int x, int y) {
|
||||
if (-1000 < y && y < 10) {
|
||||
range(y); // $ range=<=9 range=>=-999
|
||||
if (x < y-2) {
|
||||
range(x); // $ range=<=6 range=<=y-3
|
||||
range(y); // $ range=<=9 range=>=-999 range=>=x+3
|
||||
range(x); // $ range=<=6 range="<=InitializeParameter: y | Store: y-3"
|
||||
range(y); // $ range=<=9 range=>=-999 range=">=InitializeParameter: x | Store: x+3"
|
||||
return x;
|
||||
}
|
||||
range(x); // $ range=>=-1001 range=>=y-2
|
||||
range(y); // $ range=<=9 range=<=x+2 range=>=-999
|
||||
range(x); // $ range=>=-1001 range=">=InitializeParameter: y | Store: y-2"
|
||||
range(y); // $ range=<=9 range="<=InitializeParameter: x | Store: x+2" range=>=-999
|
||||
}
|
||||
range(x);
|
||||
range(y);
|
||||
@@ -127,12 +127,12 @@ int test10(int x, int y) {
|
||||
if (y > 7) {
|
||||
range(y); // $ range=>=8
|
||||
if (x < y) {
|
||||
range(x); // $ range=<=y-1
|
||||
range(y); // $ range=>=8 range=>=x+1
|
||||
range(x); // $ range="<=InitializeParameter: y-1"
|
||||
range(y); // $ range=>=8 range=">=InitializeParameter: x | Store: x+1"
|
||||
return 0;
|
||||
}
|
||||
range(x); // $ range=>=8 range=>=y+0
|
||||
range(y); // $ range=<=x+0 range=>=8
|
||||
range(x); // $ range=>=8 range=">=InitializeParameter: y+0"
|
||||
range(y); // $ range="<=InitializeParameter: x | Store: x+0" range=>=8
|
||||
return x;
|
||||
}
|
||||
range(y); // $ range=<=7
|
||||
@@ -145,7 +145,7 @@ int test11(char *p) {
|
||||
range(*p);
|
||||
if (c != '\0') {
|
||||
*p++ = '\0';
|
||||
range(p); // $ range===p+1
|
||||
range(p); // $ range="==InitializeParameter: p+1"
|
||||
range(*p);
|
||||
}
|
||||
if (c == ':') {
|
||||
@@ -155,7 +155,7 @@ int test11(char *p) {
|
||||
if (c != '\0') {
|
||||
range(c);
|
||||
*p++ = '\0';
|
||||
range(p); // $ range=<=p+2 range===c+1 range=>=p+1
|
||||
range(p); // $ range="<=InitializeParameter: p+2" range="==Phi: c+1" range=">=InitializeParameter: p+1"
|
||||
}
|
||||
if (c != ',') {
|
||||
return 1;
|
||||
@@ -193,7 +193,7 @@ int test13(char c, int i) {
|
||||
unsigned int y = x-1; // $ overflow=-
|
||||
range(y); // $ range===-1 overflow=-
|
||||
int z = i+1; // $ overflow=+
|
||||
range(z); // $ range===i+1
|
||||
range(z); // $ range="==InitializeParameter: i+1"
|
||||
range(c + i + uc + x + y + z); // $ overflow=+- overflow=+ overflow=- MISSING: range=>=1
|
||||
range((double)(c + i + uc + x + y + z)); // $ overflow=+ overflow=+- overflow=- MISSING: range=>=1
|
||||
return (double)(c + i + uc + x + y + z); // $ overflow=+- overflow=+ overflow=-
|
||||
@@ -245,7 +245,7 @@ int test_unary(int a) {
|
||||
range(c); // $ range=<=0 range=>=-11
|
||||
range(b+c); // $ range=<=11 range=>=-11 MISSING:range=">=- ...+0"
|
||||
total += b+c;
|
||||
range(total); // $ range=<=0+11 range=<=19 range=>=0-11 range=>=-19
|
||||
range(total); // $ range="<=Phi: 0+11" range=<=19 range=">=Phi: 0-11" range=>=-19
|
||||
}
|
||||
if (-7 <= a && a <= 11) {
|
||||
range(a); // $ range=<=11 range=>=-7
|
||||
@@ -255,7 +255,7 @@ int test_unary(int a) {
|
||||
range(c); // $ range=<=7 range=>=-11
|
||||
range(b+c); // $ range=<=18 range=>=-18
|
||||
total += b+c;
|
||||
range(total); // $ range="<=- ...+18" range=">=- ...-18" range=<=0+29 range=<=37 range=>=0-29 range=>=-37
|
||||
range(total); // $ range="<=Phi: - ...+18" range=">=Phi: - ...-18" range="<=Phi: 0+29" range=<=37 range=">=Phi: 0-29" range=>=-37
|
||||
}
|
||||
if (-7 <= a && a <= 1) {
|
||||
range(a); // $ range=<=1 range=>=-7
|
||||
@@ -265,7 +265,7 @@ int test_unary(int a) {
|
||||
range(c); // $ range=<=7 range=>=-1
|
||||
range(b+c); // $ range=<=8 range=>=-8
|
||||
total += b+c;
|
||||
range(total); // $ range="<=- ...+8" range="<=- ...+26" range=">=- ...-8" range=">=- ...-26" range=<=0+37 range=<=45 range=>=0-37 range=>=-45
|
||||
range(total); // $ range="<=Phi: - ...+8" range="<=Phi: - ...+26" range=">=Phi: - ...-8" range=">=Phi: - ...-26" range="<=Phi: 0+37" range=<=45 range=">=Phi: 0-37" range=>=-45
|
||||
}
|
||||
if (-7 <= a && a <= 0) {
|
||||
range(a); // $ range=<=0 range=>=-7
|
||||
@@ -275,7 +275,7 @@ int test_unary(int a) {
|
||||
range(c); // $ range=<=7 range=>=0
|
||||
range(b+c); // $ range=>=-7 range=<=7 MISSING:range="<=- ...+0"
|
||||
total += b+c;
|
||||
range(total); // $ range="<=- ...+7" range="<=- ...+15" range="<=- ...+33" range=">=- ...-7" range=">=- ...-15" range=">=- ...-33" range=<=0+44 range=<=52 range=>=0-44 range=>=-52
|
||||
range(total); // $ range="<=Phi: - ...+7" range="<=Phi: - ...+15" range="<=Phi: - ...+33" range=">=Phi: - ...-7" range=">=Phi: - ...-15" range=">=Phi: - ...-33" range="<=Phi: 0+44" range=<=52 Unexpected result: range=">=Phi: 0-44" range=>=-52
|
||||
}
|
||||
if (-7 <= a && a <= -2) {
|
||||
range(a); // $ range=<=-2 range=>=-7
|
||||
@@ -285,9 +285,9 @@ int test_unary(int a) {
|
||||
range(c); // $ range=<=7 range=>=2
|
||||
range(b+c); // $ range=<=5 range=>=-5
|
||||
total += b+c;
|
||||
range(total); // $ range="<=- ...+5" range="<=- ...+12" range="<=- ...+20" range="<=- ...+38" range=">=- ...-5" range=">=- ...-12" range=">=- ...-20" range=">=- ...-38" range=<=0+49 range=<=57 range=>=0-49 range=>=-57
|
||||
range(total); // $ range="<=Phi: - ...+5" range="<=Phi: - ...+12" range="<=Phi: - ...+20" range="<=Phi: - ...+38" range=">=Phi: - ...-5" range=">=Phi: - ...-12" range=">=Phi: - ...-20" range=">=Phi: - ...-38" range="<=Phi: 0+49" range=<=57 range=">=Phi: 0-49" range=>=-57
|
||||
}
|
||||
range(total); // $ range="<=- ...+5" range="<=- ...+12" range="<=- ...+20" range="<=- ...+38" range=">=- ...-5" range=">=- ...-12" range=">=- ...-20" range=">=- ...-38" range=<=0+49 range=<=57 range=>=0-49 range=>=-57
|
||||
range(total); // $ range="<=Phi: - ...+5" range="<=Phi: - ...+12" range="<=Phi: - ...+20" range="<=Phi: - ...+38" range=">=Phi: - ...-5" range=">=Phi: - ...-12" range=">=Phi: - ...-20" range=">=Phi: - ...-38" range="<=Phi: 0+49" range=<=57 range=">=Phi: 0-49" range=>=-57
|
||||
return total;
|
||||
}
|
||||
|
||||
@@ -310,7 +310,7 @@ int test_mult01(int a, int b) {
|
||||
int r = a*b; // 0 .. 253
|
||||
range(r); // $ range=<=253 range=>=0
|
||||
total += r;
|
||||
range(total); // $ range=<=3+253 range=<=506 range=>=0 range=>=3+0
|
||||
range(total); // $ range="<=Phi: 3+253" range=<=506 range=>=0 range=">=Phi: 3+0"
|
||||
}
|
||||
if (3 <= a && a <= 11 && -13 <= b && b <= 23) {
|
||||
range(a); // $ range=<=11 range=>=3
|
||||
@@ -326,7 +326,7 @@ int test_mult01(int a, int b) {
|
||||
int r = a*b; // -143 .. 0
|
||||
range(r); // $ range=<=0 range=>=-143
|
||||
total += r;
|
||||
range(total); // $ range=>=3-143
|
||||
range(total); // $ range=">=Phi: 3-143"
|
||||
}
|
||||
if (3 <= a && a <= 11 && -13 <= b && b <= -7) {
|
||||
range(a); // $ range=<=11 range=>=3
|
||||
@@ -334,9 +334,9 @@ int test_mult01(int a, int b) {
|
||||
int r = a*b; // -143 .. -21
|
||||
range(r); // $ range=<=-21 range=>=-143
|
||||
total += r;
|
||||
range(total); // $ range=>=3-143 range=>=3-286
|
||||
range(total); // $ range=">=Phi: 3-143" range=">=Phi: 3-286"
|
||||
}
|
||||
range(total); // $ range=>=3-143 range=>=3-286
|
||||
range(total); // $ range=">=Phi: 3-143" range=">=Phi: 3-286"
|
||||
return total;
|
||||
}
|
||||
|
||||
@@ -358,7 +358,7 @@ int test_mult02(int a, int b) {
|
||||
int r = a*b; // 0 .. 253
|
||||
range(r); // $ range=<=253 range=>=0
|
||||
total += r;
|
||||
range(total); // $ range=>=0 range=>=0+0 range=<=0+253 range=<=506
|
||||
range(total); // $ range=>=0 range=">=Phi: 0+0" range="<=Phi: 0+253" range=<=506
|
||||
}
|
||||
if (0 <= a && a <= 11 && -13 <= b && b <= 23) {
|
||||
range(a); // $ range=<=11 range=>=0
|
||||
@@ -374,7 +374,7 @@ int test_mult02(int a, int b) {
|
||||
int r = a*b; // -143 .. 0
|
||||
range(r); // $ range=<=0 range=>=-143
|
||||
total += r;
|
||||
range(total); // $ range=>=0-143
|
||||
range(total); // $ range=">=Phi: 0-143"
|
||||
}
|
||||
if (0 <= a && a <= 11 && -13 <= b && b <= -7) {
|
||||
range(a); // $ range=<=11 range=>=0
|
||||
@@ -382,9 +382,9 @@ int test_mult02(int a, int b) {
|
||||
int r = a*b; // -143 .. 0
|
||||
range(r); // $ range=<=0 range=>=-143
|
||||
total += r;
|
||||
range(total); // $ range=>=0-143 range=>=0-286
|
||||
range(total); // $ range=">=Phi: 0-143" range=">=Phi: 0-286"
|
||||
}
|
||||
range(total); // $range=>=0-143 range=>=0-286
|
||||
range(total); // $range=">=Phi: 0-143" range=">=Phi: 0-286"
|
||||
return total;
|
||||
}
|
||||
|
||||
@@ -453,7 +453,7 @@ int test_mult04(int a, int b) {
|
||||
int r = a*b; // -391 .. 0
|
||||
range(r); // $ range=<=0 range=>=-391
|
||||
total += r;
|
||||
range(total); // $ range="<=- ...+0" range=<=0 range=">=- ...-391" range=>=-782
|
||||
range(total); // $ range="<=Phi: - ...+0" range=<=0 range=">=Phi: - ...-391" range=>=-782
|
||||
}
|
||||
if (-17 <= a && a <= 0 && -13 <= b && b <= 23) {
|
||||
range(a); // $ range=<=0 range=>=-17
|
||||
@@ -469,7 +469,7 @@ int test_mult04(int a, int b) {
|
||||
int r = a*b; // 0 .. 221
|
||||
range(r); // $ range=<=221 range=>=0
|
||||
total += r;
|
||||
range(total); // $ range="<=- ...+221"
|
||||
range(total); // $ range="<=Phi: - ...+221"
|
||||
}
|
||||
if (-17 <= a && a <= 0 && -13 <= b && b <= -7) {
|
||||
range(a); // $ range=<=0 range=>=-17
|
||||
@@ -477,9 +477,9 @@ int test_mult04(int a, int b) {
|
||||
int r = a*b; // 0 .. 221
|
||||
range(r); // $ range=<=221 range=>=0
|
||||
total += r;
|
||||
range(total); // $ range="<=- ...+221" range="<=- ...+442"
|
||||
range(total); // $ range="<=Phi: - ...+221" range="<=Phi: - ...+442"
|
||||
}
|
||||
range(total); // $ range="<=- ...+221" range="<=- ...+442"
|
||||
range(total); // $ range="<=Phi: - ...+221" range="<=Phi: - ...+442"
|
||||
return total;
|
||||
}
|
||||
|
||||
@@ -501,7 +501,7 @@ int test_mult05(int a, int b) {
|
||||
int r = a*b; // -391 .. 0
|
||||
range(r); // $ range=<=0 range=>=-391
|
||||
total += r;
|
||||
range(total); // $ range="<=- ...+0" range=<=0 range=">=- ...-391" range=>=-782
|
||||
range(total); // $ range="<=Phi: - ...+0" range=<=0 range=">=Phi: - ...-391" range=>=-782
|
||||
}
|
||||
if (-17 <= a && a <= -2 && -13 <= b && b <= 23) {
|
||||
range(a); // $ range=<=-2 range=>=-17
|
||||
@@ -517,7 +517,7 @@ int test_mult05(int a, int b) {
|
||||
int r = a*b; // 0 .. 221
|
||||
range(r); // $ range=<=221 range=>=0
|
||||
total += r;
|
||||
range(total); // $ range="<=- ...+221"
|
||||
range(total); // $ range="<=Phi: - ...+221"
|
||||
}
|
||||
if (-17 <= a && a <= -2 && -13 <= b && b <= -7) {
|
||||
range(a); // $ range=<=-2 range=>=-17
|
||||
@@ -525,9 +525,9 @@ int test_mult05(int a, int b) {
|
||||
int r = a*b; // 14 .. 221
|
||||
range(r); // $ range=<=221 range=>=14
|
||||
total += r;
|
||||
range(total); // $ range="<=- ...+221" range="<=- ...+442"
|
||||
range(total); // $ range="<=Phi: - ...+221" range="<=Phi: - ...+442"
|
||||
}
|
||||
range(total); // $ range="<=- ...+221" range="<=- ...+442"
|
||||
range(total); // $ range="<=Phi: - ...+221" range="<=Phi: - ...+442"
|
||||
return total;
|
||||
}
|
||||
|
||||
@@ -541,7 +541,7 @@ int test16(int x) {
|
||||
while (i < 3) {
|
||||
range(i); // $ range=<=2 range=>=0
|
||||
i++;
|
||||
range(i); // $ range=<=3 range=>=1 range="==... = ...:i+1" SPURIOUS:range="==... = ...:i+1"
|
||||
range(i); // $ range=<=3 range=>=1 range="==Phi: i | Store: ... = ...+1"
|
||||
}
|
||||
range(d);
|
||||
d = i;
|
||||
@@ -640,14 +640,14 @@ unsigned int test_comma01(unsigned int x) {
|
||||
unsigned int y1;
|
||||
unsigned int y2;
|
||||
y1 = (++y, y);
|
||||
range(y1); // $ range=<=101 range="==... ? ... : ...+1"
|
||||
range(y1); // $ range=<=101 range="==Phi: ... ? ... : ... | Store: ... ? ... : ...+1"
|
||||
y2 = (y++,
|
||||
range(y), // $ range=<=102 range="==++ ...:... = ...+1" range="==... ? ... : ...+2"
|
||||
range(y), // $ range=<=102 range="==Store: ++ ... | Store: ... = ...+1" range="==Phi: ... ? ... : ... | Store: ... ? ... : ...+2"
|
||||
y += 3,
|
||||
range(y), // $ range=<=105 range="==++ ...:... = ...+4" range="==... +++3" range="==... ? ... : ...+5"
|
||||
range(y), // $ range=<=105 range="==Store: ++ ... | Store: ... = ...+4" range="==Store: ... +++3" range="==Phi: ... ? ... : ... | Store: ... ? ... : ...+5"
|
||||
y);
|
||||
range(y2); // $ range=<=105 range="==++ ...:... = ...+4" range="==... +++3" range="==... ? ... : ...+5"
|
||||
range(y1 + y2); // $ range=<=206 range="<=... ? ... : ...+106" MISSING: range=">=++ ...:... = ...+5" range=">=... +++4" range=">=... += ...:... = ...+1" range=">=... ? ... : ...+6"
|
||||
range(y2); // $ range=<=105 range="==Store: ++ ... | Store: ... = ...+4" range="==Store: ... +++3" Unexpected result: range="==Phi: ... ? ... : ... | Store: ... ? ... : ...+5"
|
||||
range(y1 + y2); // $ range=<=206 range="<=Phi: ... ? ... : ... | Store: ... ? ... : ...+106" MISSING: range=">=++ ...:... = ...+5" range=">=... +++4" range=">=... += ...:... = ...+1" range=">=... ? ... : ...+6"
|
||||
return y1 + y2;
|
||||
}
|
||||
|
||||
@@ -672,7 +672,7 @@ void test17() {
|
||||
range(i); // $ range===50
|
||||
|
||||
i = 20 + (j -= 10);
|
||||
range(i); // $ range="==... += ...:... = ...+10" range===60
|
||||
range(i); // $ range="==Store: ... += ... | Store: ... = ...+10" range===60
|
||||
}
|
||||
|
||||
// Tests for unsigned multiplication.
|
||||
@@ -693,7 +693,7 @@ int test_unsigned_mult01(unsigned int a, unsigned b) {
|
||||
int r = a*b; // 0 .. 253
|
||||
range(r);// $ range=>=0 range=<=253
|
||||
total += r;
|
||||
range(total); // $ range=">=(unsigned int)...+0" range=>=0 range=<=506 range="<=(unsigned int)...+253"
|
||||
range(total); // $ range=">=Phi: (unsigned int)...+0" range=>=0 range=<=506 range="<=Phi: (unsigned int)...+253"
|
||||
}
|
||||
if (3 <= a && a <= 11 && 13 <= b && b <= 23) {
|
||||
range(a); // $ range=<=11 range=>=3
|
||||
@@ -701,9 +701,9 @@ int test_unsigned_mult01(unsigned int a, unsigned b) {
|
||||
int r = a*b; // 39 .. 253
|
||||
range(r); // $ range=>=39 range=<=253
|
||||
total += r;
|
||||
range(total); // $ range=>=39 range=<=759 range="<=(unsigned int)...+253" range="<=(unsigned int)...+506" range=">=(unsigned int)...+39"
|
||||
range(total); // $ range=>=39 range=<=759 range="<=Phi: (unsigned int)...+253" range="<=Phi: (unsigned int)...+506" range=">=Phi: (unsigned int)...+39"
|
||||
}
|
||||
range(total); // $ range=>=0 range=<=759 range=">=(unsigned int)...+0" range="<=(unsigned int)...+506" range="<=(unsigned int)...+253"
|
||||
range(total); // $ range=>=0 range=<=759 range=">=Phi: (unsigned int)...+0" range="<=Phi: (unsigned int)...+506" range="<=Phi: (unsigned int)...+253"
|
||||
return total;
|
||||
}
|
||||
|
||||
@@ -722,16 +722,16 @@ int test_unsigned_mult02(unsigned b) {
|
||||
int r = 11*b; // 0 .. 253
|
||||
range(r); // $ range=>=0 range=<=253
|
||||
total += r;
|
||||
range(total); // $ range=">=(unsigned int)...+0" range=>=0 range="<=(unsigned int)...+253" range=<=506
|
||||
range(total); // $ range=">=Phi: (unsigned int)...+0" range=>=0 range="<=Phi: (unsigned int)...+253" range=<=506
|
||||
}
|
||||
if (13 <= b && b <= 23) {
|
||||
range(b); // $ range=<=23 range=>=13
|
||||
int r = 11*b; // 143 .. 253
|
||||
range(r); // $ range=>=143 range=<=253
|
||||
total += r;
|
||||
range(total); // $ range="<=(unsigned int)...+253" range="<=(unsigned int)...+506" range=">=(unsigned int)...+143" range=>=143 range=<=759
|
||||
range(total); // $ range="<=Phi: (unsigned int)...+253" range="<=Phi: (unsigned int)...+506" range=">=Phi: (unsigned int)...+143" range=>=143 range=<=759
|
||||
}
|
||||
range(total); // $ range=>=0 range=<=759 range=">=(unsigned int)...+0" range="<=(unsigned int)...+506" range="<=(unsigned int)...+253"
|
||||
range(total); // $ range=>=0 range=<=759 range=">=Phi: (unsigned int)...+0" range="<=Phi: (unsigned int)...+506" range="<=Phi: (unsigned int)...+253"
|
||||
return total;
|
||||
}
|
||||
|
||||
@@ -851,7 +851,7 @@ int notequal_type_endpoint(unsigned n) {
|
||||
n--; // 1 ..
|
||||
}
|
||||
|
||||
range(n); // $ range=<=n+0 // 0 .. 0
|
||||
range(n); // $ range="<=InitializeParameter: n+0" // 0 .. 0
|
||||
}
|
||||
|
||||
void notequal_refinement(short n) {
|
||||
@@ -946,7 +946,7 @@ void widen_recursive_expr() {
|
||||
for (s = 0; s < 10; s++) {
|
||||
range(s); // $ range=<=9 range=>=0
|
||||
int result = s + s;
|
||||
range(result); // $ range=<=18 range=<=s+9 range=>=0 range=>=s+0
|
||||
range(result); // $ range=<=18 Unexpected result: range="<=Phi: s+9" range=>=0 Unexpected result: range=">=Phi: s+0"
|
||||
}
|
||||
}
|
||||
|
||||
@@ -974,7 +974,7 @@ void test_mod_neg(int s) {
|
||||
|
||||
void test_mod_ternary(int s, bool b) {
|
||||
int s2 = s % (b ? 5 : 500);
|
||||
range(s2); // $ range=>=-499 range=<=499 range="<=... ? ... : ...-1"
|
||||
range(s2); // $ range=>=-499 range=<=499 range="<=Phi: ... ? ... : ...-1"
|
||||
}
|
||||
|
||||
void test_mod_ternary2(int s, bool b1, bool b2) {
|
||||
|
||||
@@ -16,8 +16,8 @@
|
||||
int sum = x + y; // $ overflow=+-
|
||||
} else {
|
||||
if (y > 300) {
|
||||
range(x); // $ range=>=302 range=<=400 range=<=y+1 MISSING: range===y+1
|
||||
range(y); // $ range=>=301 range=<=399 range===x-1
|
||||
range(x); // $ range=>=302 range=<=400 range="<=InitializeParameter: y+1" MISSING: range===y+1
|
||||
range(y); // $ range=>=301 range=<=399 range="==InitializeParameter: x | Store: x-1"
|
||||
int sum = x + y;
|
||||
}
|
||||
}
|
||||
@@ -39,9 +39,9 @@
|
||||
}
|
||||
|
||||
if (y == x - 1 && y > 300 && y + 2 == z && z == 350) { // $ overflow=+ overflow=-
|
||||
range(x); // $ range===349 range===y+1 range===z-1
|
||||
range(y); // $ range===348 range=>=x-1 range===z-2 MISSING: range===x-1
|
||||
range(z); // $ range===350 range=<=y+2 MISSING: range===x+1 range===y+2
|
||||
range(x); // $ range===349 range="==InitializeParameter: y+1" range="==InitializeParameter: z-1"
|
||||
range(y); // $ range===348 range=">=InitializeParameter: x | Store: x-1" range="==InitializeParameter: z-2" MISSING: range===x-1
|
||||
range(z); // $ range===350 range="<=InitializeParameter: y+2" MISSING: range===x+1 range===y+2
|
||||
return x + y + z;
|
||||
}
|
||||
}
|
||||
@@ -56,6 +56,17 @@
|
||||
while (f3_get(n)) n+=2;
|
||||
|
||||
for (int i = 0; i < n; i += 2) {
|
||||
range(i); // $ range=>=0 SPURIOUS: range="<=call to f3_get-1" range="<=call to f3_get-2"
|
||||
range(i); // $ range=>=0 SPURIOUS: range="<=Phi: call to f3_get-1" range="<=Phi: call to f3_get-2"
|
||||
}
|
||||
}
|
||||
|
||||
int f4(int x) {
|
||||
for (int i = 0; i <= 100; i++) {
|
||||
range(i); // $ range=<=100 range=>=0
|
||||
if(i == 100) {
|
||||
range(i); // $ range===100
|
||||
} else {
|
||||
range(i); // $ range=<=99 range=>=0
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,2 @@
|
||||
failures
|
||||
testFailures
|
||||
|
||||
@@ -11,12 +11,10 @@ import TestUtilities.InlineExpectationsTest
|
||||
module SignAnalysisInstantiated =
|
||||
SignAnalysis<FloatDelta, RangeUtil<FloatDelta, CppLangImplRelative>>;
|
||||
|
||||
class SignAnalysisTest extends InlineExpectationsTest {
|
||||
SignAnalysisTest() { this = "SignAnalysisTest" }
|
||||
module SignAnalysisTest implements TestSig {
|
||||
string getARelevantTag() { result = "sign" }
|
||||
|
||||
override string getARelevantTag() { result = "sign" }
|
||||
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
exists(SemExpr e, IR::CallInstruction call |
|
||||
getSemanticExpr(call.getArgument(0)) = e and
|
||||
call.getStaticCallTarget().hasName("sign") and
|
||||
@@ -28,6 +26,8 @@ class SignAnalysisTest extends InlineExpectationsTest {
|
||||
}
|
||||
}
|
||||
|
||||
import MakeTest<SignAnalysisTest>
|
||||
|
||||
private string getASignString(SemExpr e) {
|
||||
result = strictconcat(SignAnalysisInstantiated::semExprSign(e).toString(), "")
|
||||
}
|
||||
|
||||
@@ -0,0 +1,2 @@
|
||||
failures
|
||||
testFailures
|
||||
|
||||
@@ -2,12 +2,10 @@ private import cpp
|
||||
private import semmle.code.cpp.ir.implementation.raw.IR
|
||||
import TestUtilities.InlineExpectationsTest
|
||||
|
||||
class IRTypesTest extends InlineExpectationsTest {
|
||||
IRTypesTest() { this = "IRTypesTest" }
|
||||
module IRTypesTest implements TestSig {
|
||||
string getARelevantTag() { result = "irtype" }
|
||||
|
||||
override string getARelevantTag() { result = "irtype" }
|
||||
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
exists(IRUserVariable irVar |
|
||||
location = irVar.getLocation() and
|
||||
element = irVar.toString() and
|
||||
@@ -16,3 +14,5 @@ class IRTypesTest extends InlineExpectationsTest {
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
import MakeTest<IRTypesTest>
|
||||
|
||||
@@ -23,8 +23,6 @@ edges
|
||||
| test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:9:241:10 | * ... |
|
||||
| test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:9:241:10 | * ... |
|
||||
| test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:9:241:10 | * ... |
|
||||
| test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:10:241:10 | b |
|
||||
| test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:10:241:10 | b |
|
||||
| test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... |
|
||||
| test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... |
|
||||
| test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... |
|
||||
@@ -61,7 +59,6 @@ nodes
|
||||
| test_free.cpp:239:14:239:15 | * ... | semmle.label | * ... |
|
||||
| test_free.cpp:241:9:241:10 | * ... | semmle.label | * ... |
|
||||
| test_free.cpp:241:9:241:10 | * ... | semmle.label | * ... |
|
||||
| test_free.cpp:241:10:241:10 | b | semmle.label | b |
|
||||
| test_free.cpp:245:10:245:11 | * ... | semmle.label | * ... |
|
||||
| test_free.cpp:245:10:245:11 | * ... | semmle.label | * ... |
|
||||
| test_free.cpp:246:9:246:10 | * ... | semmle.label | * ... |
|
||||
@@ -92,8 +89,6 @@ subpaths
|
||||
| test_free.cpp:241:9:241:10 | * ... | test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:9:241:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:239:9:239:12 | call to free | call to free |
|
||||
| test_free.cpp:241:9:241:10 | * ... | test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:9:241:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:239:9:239:12 | call to free | call to free |
|
||||
| test_free.cpp:241:9:241:10 | * ... | test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:9:241:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:239:9:239:12 | call to free | call to free |
|
||||
| test_free.cpp:241:10:241:10 | b | test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:10:241:10 | b | Memory may have been previously freed by $@. | test_free.cpp:239:9:239:12 | call to free | call to free |
|
||||
| test_free.cpp:241:10:241:10 | b | test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:10:241:10 | b | Memory may have been previously freed by $@. | test_free.cpp:239:9:239:12 | call to free | call to free |
|
||||
| test_free.cpp:246:9:246:10 | * ... | test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:245:5:245:8 | call to free | call to free |
|
||||
| test_free.cpp:246:9:246:10 | * ... | test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:245:5:245:8 | call to free | call to free |
|
||||
| test_free.cpp:246:9:246:10 | * ... | test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:245:5:245:8 | call to free | call to free |
|
||||
|
||||
@@ -0,0 +1 @@
|
||||
Security/CWE/CWE-119/OverrunWriteProductFlow.ql
|
||||
@@ -1,9 +1,9 @@
|
||||
package,sink,source,summary,sink:code,sink:encryption-decryptor,sink:encryption-encryptor,sink:encryption-keyprop,sink:encryption-symmetrickey,sink:html,sink:remote,sink:sql,sink:xss,source:file,source:file-write,source:local,source:remote,summary:taint,summary:value
|
||||
Dapper,55,,,,,,,,,,55,,,,,,,
|
||||
package,sink,source,summary,sink:code-injection,sink:encryption-decryptor,sink:encryption-encryptor,sink:encryption-keyprop,sink:encryption-symmetrickey,sink:file-content-store,sink:html-injection,sink:js-injection,sink:sql-injection,source:file,source:file-write,source:local,source:remote,summary:taint,summary:value
|
||||
Dapper,55,,,,,,,,,,,55,,,,,,
|
||||
JsonToItemsTaskFactory,,,7,,,,,,,,,,,,,,7,
|
||||
Microsoft.ApplicationBlocks.Data,28,,,,,,,,,,28,,,,,,,
|
||||
Microsoft.ApplicationBlocks.Data,28,,,,,,,,,,,28,,,,,,
|
||||
Microsoft.CSharp,,,24,,,,,,,,,,,,,,24,
|
||||
Microsoft.EntityFrameworkCore,6,,,,,,,,,,6,,,,,,,
|
||||
Microsoft.EntityFrameworkCore,6,,12,,,,,,,,,6,,,,,,12
|
||||
Microsoft.Extensions.Caching.Distributed,,,15,,,,,,,,,,,,,,15,
|
||||
Microsoft.Extensions.Caching.Memory,,,46,,,,,,,,,,,,,,45,1
|
||||
Microsoft.Extensions.Configuration,,,83,,,,,,,,,,,,,,80,3
|
||||
@@ -21,8 +21,8 @@ Microsoft.NET.Build.Tasks,,,1,,,,,,,,,,,,,,1,
|
||||
Microsoft.NETCore.Platforms.BuildTasks,,,4,,,,,,,,,,,,,,4,
|
||||
Microsoft.VisualBasic,,,10,,,,,,,,,,,,,,5,5
|
||||
Microsoft.Win32,,,8,,,,,,,,,,,,,,8,
|
||||
MySql.Data.MySqlClient,48,,,,,,,,,,48,,,,,,,
|
||||
MySql.Data.MySqlClient,48,,,,,,,,,,,48,,,,,,
|
||||
Newtonsoft.Json,,,91,,,,,,,,,,,,,,73,18
|
||||
ServiceStack,194,,7,27,,,,,,75,92,,,,,,7,
|
||||
System,65,25,12154,,8,8,9,,4,,33,3,1,17,3,4,10163,1991
|
||||
ServiceStack,194,,7,27,,,,,75,,,92,,,,,7,
|
||||
System,65,25,12157,,8,8,9,,,4,3,33,1,17,3,4,10163,1994
|
||||
Windows.Security.Cryptography.Core,1,,,,,,,1,,,,,,,,,,
|
||||
|
||||
|
@@ -8,7 +8,7 @@ C# framework & library support
|
||||
|
||||
Framework / library,Package,Flow sources,Taint & value steps,Sinks (total),`CWE-079` :sub:`Cross-site scripting`
|
||||
`ServiceStack <https://servicestack.net/>`_,"``ServiceStack.*``, ``ServiceStack``",,7,194,
|
||||
System,"``System.*``, ``System``",25,12154,65,7
|
||||
Others,"``Dapper``, ``JsonToItemsTaskFactory``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.CSharp``, ``Microsoft.EntityFrameworkCore``, ``Microsoft.Extensions.Caching.Distributed``, ``Microsoft.Extensions.Caching.Memory``, ``Microsoft.Extensions.Configuration``, ``Microsoft.Extensions.DependencyInjection``, ``Microsoft.Extensions.DependencyModel``, ``Microsoft.Extensions.FileProviders``, ``Microsoft.Extensions.FileSystemGlobbing``, ``Microsoft.Extensions.Hosting``, ``Microsoft.Extensions.Http``, ``Microsoft.Extensions.Logging``, ``Microsoft.Extensions.Options``, ``Microsoft.Extensions.Primitives``, ``Microsoft.Interop``, ``Microsoft.NET.Build.Tasks``, ``Microsoft.NETCore.Platforms.BuildTasks``, ``Microsoft.VisualBasic``, ``Microsoft.Win32``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``, ``Windows.Security.Cryptography.Core``",,556,138,
|
||||
Totals,,25,12717,397,7
|
||||
System,"``System.*``, ``System``",25,12157,65,7
|
||||
Others,"``Dapper``, ``JsonToItemsTaskFactory``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.CSharp``, ``Microsoft.EntityFrameworkCore``, ``Microsoft.Extensions.Caching.Distributed``, ``Microsoft.Extensions.Caching.Memory``, ``Microsoft.Extensions.Configuration``, ``Microsoft.Extensions.DependencyInjection``, ``Microsoft.Extensions.DependencyModel``, ``Microsoft.Extensions.FileProviders``, ``Microsoft.Extensions.FileSystemGlobbing``, ``Microsoft.Extensions.Hosting``, ``Microsoft.Extensions.Http``, ``Microsoft.Extensions.Logging``, ``Microsoft.Extensions.Options``, ``Microsoft.Extensions.Primitives``, ``Microsoft.Interop``, ``Microsoft.NET.Build.Tasks``, ``Microsoft.NETCore.Platforms.BuildTasks``, ``Microsoft.VisualBasic``, ``Microsoft.Win32``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``, ``Windows.Security.Cryptography.Core``",,568,138,
|
||||
Totals,,25,12732,397,7
|
||||
|
||||
|
||||
@@ -1,2 +1,2 @@
|
||||
CWE,Sink identifier,Label
|
||||
CWE-079,html xss,Cross-site scripting
|
||||
CWE-079,html-injection js-injection,Cross-site scripting
|
||||
|
||||
|
@@ -211,6 +211,11 @@ namespace Semmle.Extraction.CSharp.Entities
|
||||
return Default.CreateGenerated(cx, parent, childIndex, location, ValueAsString(null));
|
||||
}
|
||||
|
||||
if (type.SpecialType is SpecialType.System_DateTime)
|
||||
{
|
||||
return DateTimeObjectCreation.CreateGenerated(cx, parent, childIndex, type, defaultValue, location);
|
||||
}
|
||||
|
||||
// const literal:
|
||||
return Literal.CreateGenerated(cx, parent, childIndex, type, defaultValue, location);
|
||||
}
|
||||
|
||||
@@ -0,0 +1,70 @@
|
||||
using Microsoft.CodeAnalysis;
|
||||
using System.Linq;
|
||||
using System.IO;
|
||||
using Semmle.Extraction.Kinds;
|
||||
|
||||
namespace Semmle.Extraction.CSharp.Entities.Expressions
|
||||
{
|
||||
internal class DateTimeObjectCreation : Expression
|
||||
{
|
||||
private readonly IMethodSymbol constructorSymbol;
|
||||
|
||||
private DateTimeObjectCreation(IMethodSymbol constructorSymbol, ExpressionInfo info) : base(info)
|
||||
{
|
||||
this.constructorSymbol = constructorSymbol;
|
||||
}
|
||||
|
||||
// Gets the value of a System.DateTime object as a string containing the ticks.
|
||||
private static long ValueAsLong(object? value) =>
|
||||
value is System.DateTime d ? d.Ticks : 0;
|
||||
|
||||
// Gets the System.DateTime(long) constructor from the `type` symbol.
|
||||
private static IMethodSymbol? GetDateTimeConstructor(ITypeSymbol? type)
|
||||
{
|
||||
return type?.GetMembers()
|
||||
.Where(m =>
|
||||
m is IMethodSymbol c &&
|
||||
c.GetName() == "ctor" &&
|
||||
c.Parameters.Length == 1 &&
|
||||
c.Parameters[0].Type.SpecialType == SpecialType.System_Int64)
|
||||
.Cast<IMethodSymbol>()
|
||||
.FirstOrDefault();
|
||||
}
|
||||
|
||||
|
||||
protected void PopulateExpression(TextWriter trapFile)
|
||||
{
|
||||
var constructor = Constructor.Create(Context, constructorSymbol);
|
||||
trapFile.expr_call(this, constructor);
|
||||
}
|
||||
|
||||
protected new Expression TryPopulate()
|
||||
{
|
||||
Context.Try(null, null, () => PopulateExpression(Context.TrapWriter.Writer));
|
||||
return this;
|
||||
}
|
||||
|
||||
// Gets an expression that represents a System.DateTime object creation.
|
||||
// The `type` symbol must be a System.DateTime type and the value must be a System.DateTime object.
|
||||
// The expression that is being created is a call to the System.DateTime(long) constructor, where
|
||||
// the number of ticks from the `value` object is used as the argument to the constructor call.
|
||||
public static Expression CreateGenerated(Context cx, IExpressionParentEntity parent, int childIndex, ITypeSymbol type, object? value, Extraction.Entities.Location location)
|
||||
{
|
||||
var constructorSymbol = GetDateTimeConstructor(type) ?? throw new InternalError("Could not find symbol for System.DateTime(long)");
|
||||
var expr = new DateTimeObjectCreation(constructorSymbol, new ExpressionInfo(
|
||||
cx,
|
||||
AnnotatedTypeSymbol.CreateNotAnnotated(type),
|
||||
location,
|
||||
ExprKind.OBJECT_CREATION,
|
||||
parent,
|
||||
childIndex,
|
||||
true,
|
||||
null));
|
||||
|
||||
var longTypeSymbol = constructorSymbol.Parameters[0].Type;
|
||||
Literal.CreateGenerated(cx, expr, 0, longTypeSymbol, ValueAsLong(value), location);
|
||||
|
||||
return expr.TryPopulate();
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -381,8 +381,17 @@ namespace Semmle.Extraction.CSharp
|
||||
references => ResolveReferences(compilerArguments, analyser, canonicalPathCache, references),
|
||||
(analyser, syntaxTrees) =>
|
||||
{
|
||||
var paths = compilerArguments.SourceFiles
|
||||
.Select(src => src.Path)
|
||||
.ToList();
|
||||
|
||||
if (compilerArguments.GeneratedFilesOutputDirectory is not null)
|
||||
{
|
||||
paths.AddRange(Directory.GetFiles(compilerArguments.GeneratedFilesOutputDirectory, "*.cs", SearchOption.AllDirectories));
|
||||
}
|
||||
|
||||
return ReadSyntaxTrees(
|
||||
compilerArguments.SourceFiles.Select(src => canonicalPathCache.GetCanonicalPath(src.Path)),
|
||||
paths.Select(canonicalPathCache.GetCanonicalPath),
|
||||
analyser,
|
||||
compilerArguments.ParseOptions,
|
||||
compilerArguments.Encoding,
|
||||
|
||||
@@ -0,0 +1,6 @@
|
||||
| Program.cs:0:0:0:0 | Program.cs |
|
||||
| obj/Debug/net7.0/.NETCoreApp,Version=v7.0.AssemblyAttributes.cs:0:0:0:0 | obj/Debug/net7.0/.NETCoreApp,Version=v7.0.AssemblyAttributes.cs |
|
||||
| obj/Debug/net7.0/cshtml.AssemblyInfo.cs:0:0:0:0 | obj/Debug/net7.0/cshtml.AssemblyInfo.cs |
|
||||
| obj/Debug/net7.0/cshtml.GlobalUsings.g.cs:0:0:0:0 | obj/Debug/net7.0/cshtml.GlobalUsings.g.cs |
|
||||
| obj/Debug/net7.0/cshtml.RazorAssemblyInfo.cs:0:0:0:0 | obj/Debug/net7.0/cshtml.RazorAssemblyInfo.cs |
|
||||
| obj/Debug/net7.0/generated/Microsoft.NET.Sdk.Razor.SourceGenerators/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Views_Home_Index_cshtml.g.cs:0:0:0:0 | obj/Debug/net7.0/generated/Microsoft.NET.Sdk.Razor.SourceGenerators/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Views_Home_Index_cshtml.g.cs |
|
||||
@@ -0,0 +1,5 @@
|
||||
import csharp
|
||||
|
||||
from File f
|
||||
where f.fromSource()
|
||||
select f
|
||||
@@ -0,0 +1 @@
|
||||
var dummy = "dummy";
|
||||
@@ -0,0 +1,8 @@
|
||||
@{
|
||||
ViewData["Title"] = "Home Page";
|
||||
}
|
||||
|
||||
<div class="text-center">
|
||||
<h1 class="display-4">Welcome</h1>
|
||||
<p>Learn about <a href="https://docs.microsoft.com/aspnet/core">building Web apps with ASP.NET Core</a>.</p>
|
||||
</div>
|
||||
@@ -0,0 +1,14 @@
|
||||
<Project Sdk="Microsoft.NET.Sdk.Web">
|
||||
|
||||
<PropertyGroup>
|
||||
<OutputType>Exe</OutputType>
|
||||
<TargetFramework>net7.0</TargetFramework>
|
||||
<ImplicitUsings>enable</ImplicitUsings>
|
||||
<Nullable>enable</Nullable>
|
||||
</PropertyGroup>
|
||||
|
||||
<Target Name="DeleteBinObjFolders" BeforeTargets="Clean">
|
||||
<RemoveDir Directories=".\bin" />
|
||||
<RemoveDir Directories=".\obj" />
|
||||
</Target>
|
||||
</Project>
|
||||
3
csharp/ql/integration-tests/all-platforms/cshtml/test.py
Normal file
3
csharp/ql/integration-tests/all-platforms/cshtml/test.py
Normal file
@@ -0,0 +1,3 @@
|
||||
from create_database_utils import *
|
||||
|
||||
run_codeql_database_create(['dotnet build'], lang="csharp", extra_args=["--extractor-option=cil=false"])
|
||||
@@ -0,0 +1,9 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Updated the following C# sink kind names. Any custom data extensions that use these sink kinds will need to be updated accordingly in order to continue working.
|
||||
* `code` to `code-injection`
|
||||
* `sql` to `sql-injection`
|
||||
* `html` to `html-injection`
|
||||
* `xss` to `js-injection`
|
||||
* `remote` to `file-content-store`
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: majorAnalysis
|
||||
---
|
||||
* The extractor has been changed to run after the traced compiler call. This allows inspecting compiler generated files, such as the output of source generators. With this change, `.cshtml` files and their generated `.cshtml.g.cs` counterparts are extracted on dotnet 6 and above.
|
||||
@@ -3,58 +3,58 @@ extensions:
|
||||
pack: codeql/csharp-all
|
||||
extensible: sinkModel
|
||||
data:
|
||||
- ["Dapper", "SqlMapper", False, "Execute", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "ExecuteAsync", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "ExecuteReader", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "ExecuteReaderAsync", "(System.Data.DbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "ExecuteReaderAsync", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "ExecuteScalar", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "ExecuteScalar<>", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "ExecuteScalarAsync", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "ExecuteScalarAsync<>", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "Query", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Boolean,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "Query", "(System.Data.IDbConnection,System.Type,System.String,System.Object,System.Data.IDbTransaction,System.Boolean,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[2]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "Query<,,,,,,,>", "(System.Data.IDbConnection,System.String,System.Func<TFirst,TSecond,TThird,TFourth,TFifth,TSixth,TSeventh,TReturn>,System.Object,System.Data.IDbTransaction,System.Boolean,System.String,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "Query<,,,,,,>", "(System.Data.IDbConnection,System.String,System.Func<TFirst,TSecond,TThird,TFourth,TFifth,TSixth,TReturn>,System.Object,System.Data.IDbTransaction,System.Boolean,System.String,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "Query<,,,,,>", "(System.Data.IDbConnection,System.String,System.Func<TFirst,TSecond,TThird,TFourth,TFifth,TReturn>,System.Object,System.Data.IDbTransaction,System.Boolean,System.String,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "Query<,,,,>", "(System.Data.IDbConnection,System.String,System.Func<TFirst,TSecond,TThird,TFourth,TReturn>,System.Object,System.Data.IDbTransaction,System.Boolean,System.String,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "Query<,,,>", "(System.Data.IDbConnection,System.String,System.Func<TFirst,TSecond,TThird,TReturn>,System.Object,System.Data.IDbTransaction,System.Boolean,System.String,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "Query<,,>", "(System.Data.IDbConnection,System.String,System.Func<TFirst,TSecond,TReturn>,System.Object,System.Data.IDbTransaction,System.Boolean,System.String,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "Query<>", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Boolean,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "Query<>", "(System.Data.IDbConnection,System.String,System.Type[],System.Func<System.Object[],TReturn>,System.Object,System.Data.IDbTransaction,System.Boolean,System.String,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryAsync", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryAsync", "(System.Data.IDbConnection,System.Type,System.String,System.Object,System.Data.IDbTransaction,System.Boolean,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[2]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryAsync<,,,,,,,>", "(System.Data.IDbConnection,System.String,System.Func<TFirst,TSecond,TThird,TFourth,TFifth,TSixth,TSeventh,TReturn>,System.Object,System.Data.IDbTransaction,System.Boolean,System.String,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryAsync<,,,,,,>", "(System.Data.IDbConnection,System.String,System.Func<TFirst,TSecond,TThird,TFourth,TFifth,TSixth,TReturn>,System.Object,System.Data.IDbTransaction,System.Boolean,System.String,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryAsync<,,,,,>", "(System.Data.IDbConnection,System.String,System.Func<TFirst,TSecond,TThird,TFourth,TFifth,TReturn>,System.Object,System.Data.IDbTransaction,System.Boolean,System.String,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryAsync<,,,,>", "(System.Data.IDbConnection,System.String,System.Func<TFirst,TSecond,TThird,TFourth,TReturn>,System.Object,System.Data.IDbTransaction,System.Boolean,System.String,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryAsync<,,,>", "(System.Data.IDbConnection,System.String,System.Func<TFirst,TSecond,TThird,TReturn>,System.Object,System.Data.IDbTransaction,System.Boolean,System.String,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryAsync<,,>", "(System.Data.IDbConnection,System.String,System.Func<TFirst,TSecond,TReturn>,System.Object,System.Data.IDbTransaction,System.Boolean,System.String,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryAsync<>", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryAsync<>", "(System.Data.IDbConnection,System.String,System.Type[],System.Func<System.Object[],TReturn>,System.Object,System.Data.IDbTransaction,System.Boolean,System.String,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryFirst", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryFirst", "(System.Data.IDbConnection,System.Type,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[2]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryFirst<>", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryFirstAsync", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryFirstAsync", "(System.Data.IDbConnection,System.Type,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[2]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryFirstAsync<>", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryFirstOrDefault", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryFirstOrDefault", "(System.Data.IDbConnection,System.Type,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[2]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryFirstOrDefault<>", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryFirstOrDefaultAsync", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryFirstOrDefaultAsync", "(System.Data.IDbConnection,System.Type,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[2]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryFirstOrDefaultAsync<>", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryMultiple", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryMultipleAsync", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QuerySingle", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QuerySingle", "(System.Data.IDbConnection,System.Type,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[2]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QuerySingle<>", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QuerySingleAsync", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QuerySingleAsync", "(System.Data.IDbConnection,System.Type,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[2]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QuerySingleAsync<>", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QuerySingleOrDefault", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QuerySingleOrDefault", "(System.Data.IDbConnection,System.Type,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[2]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QuerySingleOrDefault<>", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QuerySingleOrDefaultAsync", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QuerySingleOrDefaultAsync", "(System.Data.IDbConnection,System.Type,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[2]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QuerySingleOrDefaultAsync<>", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "Execute", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "ExecuteAsync", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "ExecuteReader", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "ExecuteReaderAsync", "(System.Data.DbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "ExecuteReaderAsync", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "ExecuteScalar", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "ExecuteScalar<>", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "ExecuteScalarAsync", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "ExecuteScalarAsync<>", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "Query", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Boolean,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "Query", "(System.Data.IDbConnection,System.Type,System.String,System.Object,System.Data.IDbTransaction,System.Boolean,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[2]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "Query<,,,,,,,>", "(System.Data.IDbConnection,System.String,System.Func<TFirst,TSecond,TThird,TFourth,TFifth,TSixth,TSeventh,TReturn>,System.Object,System.Data.IDbTransaction,System.Boolean,System.String,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "Query<,,,,,,>", "(System.Data.IDbConnection,System.String,System.Func<TFirst,TSecond,TThird,TFourth,TFifth,TSixth,TReturn>,System.Object,System.Data.IDbTransaction,System.Boolean,System.String,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "Query<,,,,,>", "(System.Data.IDbConnection,System.String,System.Func<TFirst,TSecond,TThird,TFourth,TFifth,TReturn>,System.Object,System.Data.IDbTransaction,System.Boolean,System.String,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "Query<,,,,>", "(System.Data.IDbConnection,System.String,System.Func<TFirst,TSecond,TThird,TFourth,TReturn>,System.Object,System.Data.IDbTransaction,System.Boolean,System.String,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "Query<,,,>", "(System.Data.IDbConnection,System.String,System.Func<TFirst,TSecond,TThird,TReturn>,System.Object,System.Data.IDbTransaction,System.Boolean,System.String,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "Query<,,>", "(System.Data.IDbConnection,System.String,System.Func<TFirst,TSecond,TReturn>,System.Object,System.Data.IDbTransaction,System.Boolean,System.String,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "Query<>", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Boolean,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "Query<>", "(System.Data.IDbConnection,System.String,System.Type[],System.Func<System.Object[],TReturn>,System.Object,System.Data.IDbTransaction,System.Boolean,System.String,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryAsync", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryAsync", "(System.Data.IDbConnection,System.Type,System.String,System.Object,System.Data.IDbTransaction,System.Boolean,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[2]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryAsync<,,,,,,,>", "(System.Data.IDbConnection,System.String,System.Func<TFirst,TSecond,TThird,TFourth,TFifth,TSixth,TSeventh,TReturn>,System.Object,System.Data.IDbTransaction,System.Boolean,System.String,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryAsync<,,,,,,>", "(System.Data.IDbConnection,System.String,System.Func<TFirst,TSecond,TThird,TFourth,TFifth,TSixth,TReturn>,System.Object,System.Data.IDbTransaction,System.Boolean,System.String,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryAsync<,,,,,>", "(System.Data.IDbConnection,System.String,System.Func<TFirst,TSecond,TThird,TFourth,TFifth,TReturn>,System.Object,System.Data.IDbTransaction,System.Boolean,System.String,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryAsync<,,,,>", "(System.Data.IDbConnection,System.String,System.Func<TFirst,TSecond,TThird,TFourth,TReturn>,System.Object,System.Data.IDbTransaction,System.Boolean,System.String,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryAsync<,,,>", "(System.Data.IDbConnection,System.String,System.Func<TFirst,TSecond,TThird,TReturn>,System.Object,System.Data.IDbTransaction,System.Boolean,System.String,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryAsync<,,>", "(System.Data.IDbConnection,System.String,System.Func<TFirst,TSecond,TReturn>,System.Object,System.Data.IDbTransaction,System.Boolean,System.String,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryAsync<>", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryAsync<>", "(System.Data.IDbConnection,System.String,System.Type[],System.Func<System.Object[],TReturn>,System.Object,System.Data.IDbTransaction,System.Boolean,System.String,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryFirst", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryFirst", "(System.Data.IDbConnection,System.Type,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[2]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryFirst<>", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryFirstAsync", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryFirstAsync", "(System.Data.IDbConnection,System.Type,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[2]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryFirstAsync<>", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryFirstOrDefault", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryFirstOrDefault", "(System.Data.IDbConnection,System.Type,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[2]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryFirstOrDefault<>", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryFirstOrDefaultAsync", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryFirstOrDefaultAsync", "(System.Data.IDbConnection,System.Type,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[2]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryFirstOrDefaultAsync<>", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryMultiple", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QueryMultipleAsync", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QuerySingle", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QuerySingle", "(System.Data.IDbConnection,System.Type,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[2]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QuerySingle<>", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QuerySingleAsync", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QuerySingleAsync", "(System.Data.IDbConnection,System.Type,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[2]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QuerySingleAsync<>", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QuerySingleOrDefault", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QuerySingleOrDefault", "(System.Data.IDbConnection,System.Type,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[2]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QuerySingleOrDefault<>", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QuerySingleOrDefaultAsync", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QuerySingleOrDefaultAsync", "(System.Data.IDbConnection,System.Type,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[2]", "sql-injection", "manual"]
|
||||
- ["Dapper", "SqlMapper", False, "QuerySingleOrDefaultAsync<>", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
|
||||
@@ -3,31 +3,31 @@ extensions:
|
||||
pack: codeql/csharp-all
|
||||
extensible: sinkModel
|
||||
data:
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteDataset", "(System.Data.SqlClient.SqlConnection,System.Data.CommandType,System.String)", "", "Argument[2]", "sql", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteDataset", "(System.Data.SqlClient.SqlConnection,System.Data.CommandType,System.String,System.Data.SqlClient.SqlParameter[])", "", "Argument[2]", "sql", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteDataset", "(System.Data.SqlClient.SqlTransaction,System.Data.CommandType,System.String)", "", "Argument[2]", "sql", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteDataset", "(System.Data.SqlClient.SqlTransaction,System.Data.CommandType,System.String,System.Data.SqlClient.SqlParameter[])", "", "Argument[2]", "sql", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteDataset", "(System.String,System.Data.CommandType,System.String)", "", "Argument[2]", "sql", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteDataset", "(System.String,System.Data.CommandType,System.String,System.Data.SqlClient.SqlParameter[])", "", "Argument[2]", "sql", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteNonQuery", "(System.Data.SqlClient.SqlConnection,System.Data.CommandType,System.String)", "", "Argument[2]", "sql", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteNonQuery", "(System.Data.SqlClient.SqlConnection,System.Data.CommandType,System.String,System.Data.SqlClient.SqlParameter[])", "", "Argument[2]", "sql", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteNonQuery", "(System.Data.SqlClient.SqlTransaction,System.Data.CommandType,System.String)", "", "Argument[2]", "sql", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteNonQuery", "(System.Data.SqlClient.SqlTransaction,System.Data.CommandType,System.String,System.Data.SqlClient.SqlParameter[])", "", "Argument[2]", "sql", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteNonQuery", "(System.String,System.Data.CommandType,System.String)", "", "Argument[2]", "sql", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteNonQuery", "(System.String,System.Data.CommandType,System.String,System.Data.SqlClient.SqlParameter[])", "", "Argument[2]", "sql", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteReader", "(System.Data.SqlClient.SqlConnection,System.Data.CommandType,System.String)", "", "Argument[2]", "sql", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteReader", "(System.Data.SqlClient.SqlConnection,System.Data.CommandType,System.String,System.Data.SqlClient.SqlParameter[])", "", "Argument[2]", "sql", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteReader", "(System.Data.SqlClient.SqlTransaction,System.Data.CommandType,System.String)", "", "Argument[2]", "sql", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteReader", "(System.Data.SqlClient.SqlTransaction,System.Data.CommandType,System.String,System.Data.SqlClient.SqlParameter[])", "", "Argument[2]", "sql", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteReader", "(System.String,System.Data.CommandType,System.String)", "", "Argument[2]", "sql", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteReader", "(System.String,System.Data.CommandType,System.String,System.Data.SqlClient.SqlParameter[])", "", "Argument[2]", "sql", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteScalar", "(System.Data.SqlClient.SqlConnection,System.Data.CommandType,System.String)", "", "Argument[2]", "sql", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteScalar", "(System.Data.SqlClient.SqlConnection,System.Data.CommandType,System.String,System.Data.SqlClient.SqlParameter[])", "", "Argument[2]", "sql", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteScalar", "(System.Data.SqlClient.SqlTransaction,System.Data.CommandType,System.String)", "", "Argument[2]", "sql", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteScalar", "(System.Data.SqlClient.SqlTransaction,System.Data.CommandType,System.String,System.Data.SqlClient.SqlParameter[])", "", "Argument[2]", "sql", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteScalar", "(System.String,System.Data.CommandType,System.String)", "", "Argument[2]", "sql", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteScalar", "(System.String,System.Data.CommandType,System.String,System.Data.SqlClient.SqlParameter[])", "", "Argument[2]", "sql", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteXmlReader", "(System.Data.SqlClient.SqlConnection,System.Data.CommandType,System.String)", "", "Argument[2]", "sql", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteXmlReader", "(System.Data.SqlClient.SqlConnection,System.Data.CommandType,System.String,System.Data.SqlClient.SqlParameter[])", "", "Argument[2]", "sql", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteXmlReader", "(System.Data.SqlClient.SqlTransaction,System.Data.CommandType,System.String)", "", "Argument[2]", "sql", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteXmlReader", "(System.Data.SqlClient.SqlTransaction,System.Data.CommandType,System.String,System.Data.SqlClient.SqlParameter[])", "", "Argument[2]", "sql", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteDataset", "(System.Data.SqlClient.SqlConnection,System.Data.CommandType,System.String)", "", "Argument[2]", "sql-injection", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteDataset", "(System.Data.SqlClient.SqlConnection,System.Data.CommandType,System.String,System.Data.SqlClient.SqlParameter[])", "", "Argument[2]", "sql-injection", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteDataset", "(System.Data.SqlClient.SqlTransaction,System.Data.CommandType,System.String)", "", "Argument[2]", "sql-injection", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteDataset", "(System.Data.SqlClient.SqlTransaction,System.Data.CommandType,System.String,System.Data.SqlClient.SqlParameter[])", "", "Argument[2]", "sql-injection", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteDataset", "(System.String,System.Data.CommandType,System.String)", "", "Argument[2]", "sql-injection", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteDataset", "(System.String,System.Data.CommandType,System.String,System.Data.SqlClient.SqlParameter[])", "", "Argument[2]", "sql-injection", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteNonQuery", "(System.Data.SqlClient.SqlConnection,System.Data.CommandType,System.String)", "", "Argument[2]", "sql-injection", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteNonQuery", "(System.Data.SqlClient.SqlConnection,System.Data.CommandType,System.String,System.Data.SqlClient.SqlParameter[])", "", "Argument[2]", "sql-injection", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteNonQuery", "(System.Data.SqlClient.SqlTransaction,System.Data.CommandType,System.String)", "", "Argument[2]", "sql-injection", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteNonQuery", "(System.Data.SqlClient.SqlTransaction,System.Data.CommandType,System.String,System.Data.SqlClient.SqlParameter[])", "", "Argument[2]", "sql-injection", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteNonQuery", "(System.String,System.Data.CommandType,System.String)", "", "Argument[2]", "sql-injection", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteNonQuery", "(System.String,System.Data.CommandType,System.String,System.Data.SqlClient.SqlParameter[])", "", "Argument[2]", "sql-injection", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteReader", "(System.Data.SqlClient.SqlConnection,System.Data.CommandType,System.String)", "", "Argument[2]", "sql-injection", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteReader", "(System.Data.SqlClient.SqlConnection,System.Data.CommandType,System.String,System.Data.SqlClient.SqlParameter[])", "", "Argument[2]", "sql-injection", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteReader", "(System.Data.SqlClient.SqlTransaction,System.Data.CommandType,System.String)", "", "Argument[2]", "sql-injection", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteReader", "(System.Data.SqlClient.SqlTransaction,System.Data.CommandType,System.String,System.Data.SqlClient.SqlParameter[])", "", "Argument[2]", "sql-injection", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteReader", "(System.String,System.Data.CommandType,System.String)", "", "Argument[2]", "sql-injection", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteReader", "(System.String,System.Data.CommandType,System.String,System.Data.SqlClient.SqlParameter[])", "", "Argument[2]", "sql-injection", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteScalar", "(System.Data.SqlClient.SqlConnection,System.Data.CommandType,System.String)", "", "Argument[2]", "sql-injection", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteScalar", "(System.Data.SqlClient.SqlConnection,System.Data.CommandType,System.String,System.Data.SqlClient.SqlParameter[])", "", "Argument[2]", "sql-injection", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteScalar", "(System.Data.SqlClient.SqlTransaction,System.Data.CommandType,System.String)", "", "Argument[2]", "sql-injection", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteScalar", "(System.Data.SqlClient.SqlTransaction,System.Data.CommandType,System.String,System.Data.SqlClient.SqlParameter[])", "", "Argument[2]", "sql-injection", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteScalar", "(System.String,System.Data.CommandType,System.String)", "", "Argument[2]", "sql-injection", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteScalar", "(System.String,System.Data.CommandType,System.String,System.Data.SqlClient.SqlParameter[])", "", "Argument[2]", "sql-injection", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteXmlReader", "(System.Data.SqlClient.SqlConnection,System.Data.CommandType,System.String)", "", "Argument[2]", "sql-injection", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteXmlReader", "(System.Data.SqlClient.SqlConnection,System.Data.CommandType,System.String,System.Data.SqlClient.SqlParameter[])", "", "Argument[2]", "sql-injection", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteXmlReader", "(System.Data.SqlClient.SqlTransaction,System.Data.CommandType,System.String)", "", "Argument[2]", "sql-injection", "manual"]
|
||||
- ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteXmlReader", "(System.Data.SqlClient.SqlTransaction,System.Data.CommandType,System.String,System.Data.SqlClient.SqlParameter[])", "", "Argument[2]", "sql-injection", "manual"]
|
||||
|
||||
@@ -1,11 +1,29 @@
|
||||
extensions:
|
||||
- addsTo:
|
||||
pack: codeql/csharp-all
|
||||
extensible: summaryModel
|
||||
data:
|
||||
- ["Microsoft.EntityFrameworkCore", "DbSet<>", False, "Add", "(TEntity)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
|
||||
- ["Microsoft.EntityFrameworkCore", "DbSet<>", False, "AddAsync", "(TEntity,System.Threading.CancellationToken)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
|
||||
- ["Microsoft.EntityFrameworkCore", "DbSet<>", False, "AddRange", "(System.Collections.Generic.IEnumerable<TEntity>)", "", "Argument[0].WithElement", "Argument[this]", "value", "manual"]
|
||||
- ["Microsoft.EntityFrameworkCore", "DbSet<>", False, "AddRange", "(TEntity[])", "", "Argument[0].WithElement", "Argument[this]", "value", "manual"]
|
||||
- ["Microsoft.EntityFrameworkCore", "DbSet<>", False, "AddRangeAsync", "(System.Collections.Generic.IEnumerable<TEntity>,System.Threading.CancellationToken)", "", "Argument[0].WithElement", "Argument[this]", "value", "manual"]
|
||||
- ["Microsoft.EntityFrameworkCore", "DbSet<>", False, "AddRangeAsync", "(TEntity[])", "", "Argument[0].WithElement", "Argument[this]", "value", "manual"]
|
||||
- ["Microsoft.EntityFrameworkCore", "DbSet<>", False, "Attach", "(TEntity)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
|
||||
- ["Microsoft.EntityFrameworkCore", "DbSet<>", False, "AttachRange", "(System.Collections.Generic.IEnumerable<TEntity>)", "", "Argument[0].WithElement", "Argument[this]", "value", "manual"]
|
||||
- ["Microsoft.EntityFrameworkCore", "DbSet<>", False, "AttachRange", "(TEntity[])", "", "Argument[0].WithElement", "Argument[this]", "value", "manual"]
|
||||
- ["Microsoft.EntityFrameworkCore", "DbSet<>", False, "Update", "(TEntity)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
|
||||
- ["Microsoft.EntityFrameworkCore", "DbSet<>", False, "UpdateRange", "(System.Collections.Generic.IEnumerable<TEntity>)", "", "Argument[0].WithElement", "Argument[this]", "value", "manual"]
|
||||
- ["Microsoft.EntityFrameworkCore", "DbSet<>", False, "UpdateRange", "(TEntity[])", "", "Argument[0].WithElement", "Argument[this]", "value", "manual"]
|
||||
|
||||
|
||||
- addsTo:
|
||||
pack: codeql/csharp-all
|
||||
extensible: sinkModel
|
||||
data:
|
||||
- ["Microsoft.EntityFrameworkCore", "RelationalDatabaseFacadeExtensions", False, "ExecuteSqlRaw", "(Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade,System.String,System.Collections.Generic.IEnumerable<System.Object>)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Microsoft.EntityFrameworkCore", "RelationalDatabaseFacadeExtensions", False, "ExecuteSqlRaw", "(Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade,System.String,System.Object[])", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Microsoft.EntityFrameworkCore", "RelationalDatabaseFacadeExtensions", False, "ExecuteSqlRawAsync", "(Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade,System.String,System.Collections.Generic.IEnumerable<System.Object>,System.Threading.CancellationToken)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Microsoft.EntityFrameworkCore", "RelationalDatabaseFacadeExtensions", False, "ExecuteSqlRawAsync", "(Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade,System.String,System.Object[])", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Microsoft.EntityFrameworkCore", "RelationalDatabaseFacadeExtensions", False, "ExecuteSqlRawAsync", "(Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade,System.String,System.Threading.CancellationToken)", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Microsoft.EntityFrameworkCore", "RelationalQueryableExtensions", False, "FromSqlRaw<>", "(Microsoft.EntityFrameworkCore.DbSet<TEntity>,System.String,System.Object[])", "", "Argument[1]", "sql", "manual"]
|
||||
- ["Microsoft.EntityFrameworkCore", "RelationalDatabaseFacadeExtensions", False, "ExecuteSqlRaw", "(Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade,System.String,System.Collections.Generic.IEnumerable<System.Object>)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Microsoft.EntityFrameworkCore", "RelationalDatabaseFacadeExtensions", False, "ExecuteSqlRaw", "(Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade,System.String,System.Object[])", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Microsoft.EntityFrameworkCore", "RelationalDatabaseFacadeExtensions", False, "ExecuteSqlRawAsync", "(Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade,System.String,System.Collections.Generic.IEnumerable<System.Object>,System.Threading.CancellationToken)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Microsoft.EntityFrameworkCore", "RelationalDatabaseFacadeExtensions", False, "ExecuteSqlRawAsync", "(Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade,System.String,System.Object[])", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Microsoft.EntityFrameworkCore", "RelationalDatabaseFacadeExtensions", False, "ExecuteSqlRawAsync", "(Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade,System.String,System.Threading.CancellationToken)", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["Microsoft.EntityFrameworkCore", "RelationalQueryableExtensions", False, "FromSqlRaw<>", "(Microsoft.EntityFrameworkCore.DbSet<TEntity>,System.String,System.Object[])", "", "Argument[1]", "sql-injection", "manual"]
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user